Being a successful chief information security officer takes more than an understanding of technology; today’s CISO must also be a business leader who understands where IT security and business objectives meet.
This conclusion can be found inside the 2013 IBM Chief Information Security Officer Assessment released Monday, an annual report based on interviews with C-level executives in organizations around the world. According to the report, security leaders increasingly are communicating regularly with their board of directors at C-suite to understand what their concerns are.
“The interviewees said that their CEOs are most sensitive about negatively impacting brand reputation or customer trust,” according to the report. “CFOs fret about financial losses due to a breach or incident. COOs lose sleep over operational downtime. Finally, CIOs have a broad set of concerns, including breaches, data loss and implementing technology investments.”
David Jarvis, manager at IBM Center for Applied Insights, noted that in the 2012 CISO Assessment, researchers confirmed that business executives were paying more attention to security issues and their impact on business.
“In this year’s Assessment those that we interviewed highlighted over and over the need for a strategic approach, good communications skills, building trust and approaching risk management comprehensively,” he said. “Those that can both speak the language of security technology and the language of the business have been most effective.”
Understanding those concerns and knowing what to do about them are different things of course. Right now, technical and business metrics are focused primarily on operational issues. For example, more than 90 percent said they track security incidents, lost or stolen records, data, devices and audit and compliance status. Just 12 percent said they are feeding business and security measures into their enterprise risk process. In addition, nearly two-thirds of security leaders do not translate metrics into financial results and more than half don’t fully integrate security metrics with business risk measurements.
One of the primary challenges enterprises are dealing with is mobile devices. For most of the participants, a comprehensive mobile policy and strategy for personal devices is not yet widely used or considered important. Fewer than 40 percent of organizations have deployed specific response policies for personally-owned devices or an enterprise strategy for bring-your-own device (BYOD), and very few considered these actions to be “most important.”
Enterprises run into a number of challenges when it comes to crafting BYOD policy, including endpoint control, establishing a baseline for app quality and developing a flexible, context-aware access policy.
Organizations need to think less about technology and more about policy, the report argued. Security leaders are looking to address this gap – 39 percent were establishing an enterprise strategy for BYOD.
“Fortify your mobile security, not just with technology but also with a set of business practices and policies – for both individually and business-owned devices,” the report advised.
The report also recommends the CISO formalize his or her role to ensure they are recognized as the single, senior security leader with budget authority. The CISO should also invest in cutting edge technologies as opposed to just foundational ones – but only when they meet a business goal.
“Establish a security strategy that is updated regularly, communicated widely, and developed in conjunction with other strategies in the organization (such as product development, risk and growth),” according to the report. “Develop effective business relations and meet with the C-suite and Board on a frequent basis and develop an approach to manage their diverse concerns. Take those concerns into account when determining what to measure.”