CISOs gaining strategic influence, new study shows
ARMONK, N.Y.—Chief information security officers are gaining more influence and strategic business responsibilities within their companies, according to a new study from IBM. Given the evolving relationship between physical and IT security, the study offers physical security specialists and those CSOs who interact with CISOs a look at how major organizations are beginning to treat IT security as a business, not just technology, imperative.
In more than 130 interviews with information security leaders around the globe, IBM's Center for Applied Insights found that 25 percent of those surveyed are shifting from a purely technology focus to a strategic business leadership role, according to the study. Respondents also said that corporate leadership is paying more attention to security matters, security is being treated as a strategic necessity, and that security budgets are growing.
Though the study doesn't discuss how often physical security and information security are managed under the same umbrella at these organizations, the study does offer insight into how companies are handling information security functions, which could impact physical security professionals given the evolving relationship between physical security professionals and their IT security counterparts. The holistic approach to security, physical and IT, was promoted recently by John Meakin, Deutsche Bank's global head of security solutions and architecture, in a column published on Forbes.com. "Silos make it difficult to manage risk proactively," he said. "As the complexity of making a large enterprise secure grows with the ever-expanding boundaries of the IT estate, on top of the increasing threat, the need for security that is integrated into core business data and processes also grows. So, for example, it is becoming generally accepted wisdom that solving Access Control rigorously and reliably is not a technology problem; it is a business one—one that can only be solved where key business data, about people and about business processes and roles, is shared with the various access control technologies to form an integrated platform. Thus we can help the business to solve their access problem."
The evolution of the CISO position is following in the evolutionary footsteps that other C-suite positions have experienced in past decades. The new IBM study "painted a profile of a new class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” David Jarvis, the study's author and senior consultant at center, said in a statement. “We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s—from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organizations.”
Based on the survey results, the study separated senior information security executives into three categories: The "Influencers," the 25 percent of respondents who have a voice in their company's strategic decisions; the "Protectors," roughly 50 percent of respondents, who recognize the importance of information security as a strategic priority, but lack the resources to fully transform their enterprises’ security approach; and the "Responders," that other 25 percent who remain largely in response mode and are not making strategic headway. The study noted that these three types of information security executives "are not skewed toward certain demographics," and consistently exist across geographies, industries and enterprise sizes.
The study revealed several characteristics shared by the most mature security programs:
Security is seen as a business, rather than technology, imperative. Nearly two-thirds of the CISOs surveyed said their senior executives are paying more attention to security today than they were two years ago. Sixty percent of the "Influencers" named security as a regular boardroom topic, compared to 22 percent of the "Responders." Also, 68 percent of the more forward-thinking organizations have created security steering committees to encourage systemic approaches to security issues that span legal, business operations, finance and human resources, versus only 26 percent in the least advanced group.
Shared budgetary responsibility with the C-suite. The study showed that within most organizations, CIOs typically have control over the information security budget, but that among the organizations of "Influencers," CEOs were just as likely as CIOs to be steering information security budgets. Among those most advanced organizations, CISOs had budgetary authority only 13 percent of the time. Also, 71 percent of advanced organizations had a dedicated security budget line item, compared to 27 percent of the least mature group. Lower ranking organizations often lacked a dedicated security budget altogether, indicating a more tactical, fragmented approach to security.
Use of data-driven decision making and measurement. Fifty-nine percent of advanced organizations use standardized metrics for decision making, versus only 26 percent of lower-ranking organizations.
"Given the dynamic nature of the challenge, measuring the state of security within an organization is increasingly important. Since threats are always moving and solutions are more complex, dynamic and often partial, knowing where you are is essential," John Meakin, Deutsche Bank's global head of security solutions and architecture, said in the report. "Although metrics can be a challenge to define and capture, that should not deter organizations from implementing them. Measurement may be imprecise at first but will improve over time—and the process itself can drive valuable insight."
Other results show that more than half of respondents cited mobile security as a primary technology concern over the next two years (the number of mobile workers is expected to reach 1.3 billion by 2015) and that 59 percent of "Influencers" said their primary focus over the next two years will be employee education. Also, nearly two-thirds of respondents expect spending on information security to increase over the next two years, and of those, 87 percent expect double-digit increases.