CISO Role Shifting From Technology-focused to Strategic Business Leadership Role
A new study coming from IBM’s Center for Applied Insights looked to tap into the minds of Chief Information Security Officers (CISOs) in order to get their take on the challenges they currently face and their thoughts on what they expect to see in the near future.
Overall, the study showed a fundamental shift taking place where the role of security leaders has been transforming from a technology-focused role, to a to strategic business leadership role.
“Rather than just reactively responding to security incidents, the CISO's role is shifting more towards intelligent and holistic risk management– from fire-fighting to anticipating and mitigating fires before they start,” the report explains.
"We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical one to a strategic business enabler,” said David Jarvis, author of the report and senior consultant at the IBM Center for Applied Insights. “This demonstrates how integral IT security has become to organizations."
Tasked with protecting the corporate crown jewels – money, customer data, intellectual property and brand, security leaders today are under intense pressure, and nearly two-thirds of the CISOs surveyed said their senior executives are paying more attention to security today than they were two years ago.
As would be expected, the heightened level of alertness comes as a result of a several recent high-profile hacks and data breaches.
In addition to explaining the evolving role of the CISO, IBM identified three types of security organizations based on various characteristics.
• Influencers – These organizations, which accounted for about 25% of those surveyed, tend to be more concerned with broader, more systemic risks, and are more likely to assess their ability to deal with future threats and the integration of new technologies. Influencers are twice as likely as Responders to track their progress.
• Protectors – This group, which comprised almost half of the respondents, tends to make security more of a strategic priority by investing more of their budgets on reducing future risks and aligning security initiatives to broader enterprise priorities. These organizations are also more likely to learn from and collaborate with peers.
• Responders – These organizations are more tactically oriented, often focusing on foundational building blocks: incorporating new security technology to close security gaps, redesigning business processes and hiring new staff.
Organizations that fell under the “Influencer group” are more likely to appoint a CISO, a dedicated leader that has been proven to be valuable to organizations as evidenced by Symantec’s recent cost of a data breach study. According to the Symantec study, organizations that employ a CISO with overall responsibility for enterprise data protection paid $80 less per compromised record after a breach compared to those organizations without a CISO.
In its findings, IBM found the following:
• 60% of the “advanced organizations” named security as a regular boardroom topic, compared to only 22% of the least advanced organizations.
• Forward-thinking security organizations are more likely to establish a security steering committee to encourage systemic approaches to security issues that span legal, business operations, finance, and human resources.
• 68% percent of advanced organizations had a risk committee, versus only 26 percent in the least advanced group.
• Leading organizations are twice as likely to use metrics to monitor progress.
• In most organizations, CIOs typically have control over the information security budget. In the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets.
• Lower ranking organizations often lacked a dedicated budget line item altogether, indicating a more tactical, fragmented approach to security.
• Seventy-one percent of advanced organizations had a dedicated security budget line item compared to 27 percent of the least mature group.
• Automated monitoring of standardized metrics allows CISOs to dedicate more time to focusing on broader, more systemic risks.
• Nearly two-thirds of respondents expect information security spend to increase over the next two years and of those, 87% expect double-digit increases.
• More than half of the respondents cited mobile security as a major technology concern over the next two years.
“Given the dynamic nature of the challenge, measuring the state of security within an organization is increasingly important,” explained John Meakin, Global Head of Security Solutions & Architecture, at Deutsche Bank. “Since threats are always moving and solutions are more complex, dynamic and often partial, knowing where you are is essential. Leading indicators could include a variety of measures from the number of applications that have had specific security requirements defined and tested prior to going live to the speed and completeness of correcting known vulnerabilities.”
In order to establish a more confident and capable security organization, IBM suggests that security leaders must construct an action plan based on their current capabilities and most pressing needs.
"Security in a hyper-connected era presents a new set of challenges, but these can be greatly eased by implementing innovative practices and adopting a more integrated, holistic approach," said Marc van Zadelhoff, an author of the report and vice president of Strategy, IBM Security Systems. "CISOs that prioritize these factors can help their organizations significantly improve business processes and achieve measurable success in their progress toward building a risk-aware culture that is agile and well-equipped to deal with future threats."
The infographic below highlights additional findings. The full report as a PDF download is available here.
The study interviewed more than 130 security leaders from seven different countries, across a wide range of industries. Nearly 20 percent of the respondents lead information security in enterprises with more than 10,000 employees; 55 percent are in enterprises with 1,000 to 9,999 employees.