Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

IBM CISO Study Outlines Challenges, Successes of Security Executives

Being a successful chief information security officer takes more than an understanding of technology; today’s CISO must also be a business leader who understands where IT security and business objectives meet.

Being a successful chief information security officer takes more than an understanding of technology; today’s CISO must also be a business leader who understands where IT security and business objectives meet.

This conclusion can be found inside the 2013 IBM Chief Information Security Officer Assessment released Monday, an annual report based on interviews with C-level executives in organizations around the world. According to the report, security leaders increasingly are communicating regularly with their board of directors at C-suite to understand what their concerns are.

“The interviewees said that their CEOs are most sensitive about negatively impacting brand reputation or customer trust,” according to the report. “CFOs fret about financial losses due to a breach or incident. COOs lose sleep over operational downtime. Finally, CIOs have a broad set of concerns, including breaches, data loss and implementing technology investments.”

David Jarvis, manager at IBM Center for Applied Insights, noted that in the 2012 CISO Assessment, researchers confirmed that business executives were paying more attention to security issues and their impact on business.

“In this year’s Assessment those that we interviewed highlighted over and over the need for a strategic approach, good communications skills, building trust and approaching risk management comprehensively,” he said. “Those that can both speak the language of security technology and the language of the business have been most effective.”

Understanding those concerns and knowing what to do about them are different things of course. Right now, technical and business metrics are focused primarily on operational issues. For example, more than 90 percent said they track security incidents, lost or stolen records, data, devices and audit and compliance status. Just 12 percent said they are feeding business and security measures into their enterprise risk process. In addition, nearly two-thirds of security leaders do not translate metrics into financial results and more than half don’t fully integrate security metrics with business risk measurements.

One of the primary challenges enterprises are dealing with is mobile devices. For most of the participants, a comprehensive mobile policy and strategy for personal devices is not yet widely used or considered important. Fewer than 40 percent of organizations have deployed specific response policies for personally-owned devices or an enterprise strategy for bring-your-own device (BYOD), and very few considered these actions to be “most important.”

Enterprises run into a number of challenges when it comes to crafting BYOD policy, including endpoint control, establishing a baseline for app quality and developing a flexible, context-aware access policy.

Organizations need to think less about technology and more about policy, the report argued. Security leaders are looking to address this gap – 39 percent were establishing an enterprise strategy for BYOD.

“Fortify your mobile security, not just with technology but also with a set of business practices and policies – for both individually and business-owned devices,” the report advised.

The report also recommends the CISO formalize his or her role to ensure they are recognized as the single, senior security leader with budget authority. The CISO should also invest in cutting edge technologies as opposed to just foundational ones – but only when they meet a business goal.

“Establish a security strategy that is updated regularly, communicated widely, and developed in conjunction with other strategies in the organization (such as product development, risk and growth),” according to the report. “Develop effective business relations and meet with the C-suite and Board on a frequent basis and develop an approach to manage their diverse concerns. Take those concerns into account when determining what to measure.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.