CISOs Win More Respect - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


CISOs Win More Respect

Almost two-thirds of CISOs say their companies' senior execs have increased attention to information security; 60% of advanced security groups call security a regular boardroom topic, IBM study reports.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
Security is getting more respect. To be precise, almost two-thirds of chief information security officers (CISOs) say that senior executives at their businesses are paying more attention to information security, compared with just two years ago.

That finding comes from a new survey of 138 senior business and IT executives who are responsible for their businesses' information security practices. The survey was designed to identify the types of strategies or approaches being pursued by worldwide businesses. Half the respondents worked at businesses with between 1,000 and 10,000 employees. About 20% oversaw security for businesses with more than 10,000 employees.

"Obviously, the security market has been undergoing a pretty significant transformation over the past couple of years, and we thought that security leadership was transitioning as well," said report co-author David Jarvis, a senior consultant at the IBM Center for Applied Insights, via phone. "We wanted to see if the CISO role was becoming more focused, strategic, and holistic."

[ Read Anonymous Drives Security Fears, But Not Spending. ]

In general, those three trends do seem to be taking place, thanks to CISOs facing greater pressure to make their businesses' information security programs perform better, especially in an age of rampant data breaches, hacktivist attacks, and malware outbreaks. "The number-one challenge that respondents told us about were external threats--as opposed to internal threats, compliance and regulations, integrating new technologies, or things like that," said Jarvis. More than half of respondents also labeled their biggest near-term technology concern as securing mobile technology.

But how effective are security programs at dealing with such challenges, and what could they be doing better? To find out, a related report from IBM--co-authored by Jarvis--used the survey respondents' analysis of their security program's maturity, preparedness, and effectiveness to classify the surveyed organizations as being advanced (25%), average (50%), or below average (25%), and then looked for what each group had most in common.

What's notable is the degree to which more advanced organizations track security metrics and have executives who not only pay attention to the security budget, but also to the security program itself. Notably, 60% of advanced organizations say that security is a regular boardroom topic, compared to 22% of below-average organizations. Likewise, 68% of advanced organizations have a risk committee, while only 26% of below-average businesses say the same.

The study also found that the organizations with the most effective information security programs were twice as likely to use metrics--such as tracking user awareness, employee education, and threat volume--to monitor their progress.

Interestingly, the survey also found that security budgets are set to increase significantly. "Two-thirds of respondents expected their information security spending to increase over the next two years, and 87% [of them] expected double-digit increases," said Jarvis.

Who controls security budgets also makes a difference. Notably, IBM found that "in the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets." In other words, security decision-making appears to be most effective when there's a lot of senior-level buy-in regarding how budgets get allocated. Furthermore, 71% of the most advanced organizations made security an actual line item in their budgets, whereas 73% of below-average businesses didn't break out security as a separate line item.

When it comes to line items, "we use that as a proxy for the business paying more attention, or placing more responsibility," said Jarvis.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll