CISOs Win More Respect - InformationWeek
01:15 PM
[Ransomware] Taking the Mystery out of Ransomware
Dec 07, 2016
Lost data. Systems locked down. Whole companies coming to a grinding halt. When it comes to ransom ...Read More>>

CISOs Win More Respect

Almost two-thirds of CISOs say their companies' senior execs have increased attention to information security; 60% of advanced security groups call security a regular boardroom topic, IBM study reports.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
Security is getting more respect. To be precise, almost two-thirds of chief information security officers (CISOs) say that senior executives at their businesses are paying more attention to information security, compared with just two years ago.

That finding comes from a new survey of 138 senior business and IT executives who are responsible for their businesses' information security practices. The survey was designed to identify the types of strategies or approaches being pursued by worldwide businesses. Half the respondents worked at businesses with between 1,000 and 10,000 employees. About 20% oversaw security for businesses with more than 10,000 employees.

"Obviously, the security market has been undergoing a pretty significant transformation over the past couple of years, and we thought that security leadership was transitioning as well," said report co-author David Jarvis, a senior consultant at the IBM Center for Applied Insights, via phone. "We wanted to see if the CISO role was becoming more focused, strategic, and holistic."

[ Read Anonymous Drives Security Fears, But Not Spending. ]

In general, those three trends do seem to be taking place, thanks to CISOs facing greater pressure to make their businesses' information security programs perform better, especially in an age of rampant data breaches, hacktivist attacks, and malware outbreaks. "The number-one challenge that respondents told us about were external threats--as opposed to internal threats, compliance and regulations, integrating new technologies, or things like that," said Jarvis. More than half of respondents also labeled their biggest near-term technology concern as securing mobile technology.

But how effective are security programs at dealing with such challenges, and what could they be doing better? To find out, a related report from IBM--co-authored by Jarvis--used the survey respondents' analysis of their security program's maturity, preparedness, and effectiveness to classify the surveyed organizations as being advanced (25%), average (50%), or below average (25%), and then looked for what each group had most in common.

What's notable is the degree to which more advanced organizations track security metrics and have executives who not only pay attention to the security budget, but also to the security program itself. Notably, 60% of advanced organizations say that security is a regular boardroom topic, compared to 22% of below-average organizations. Likewise, 68% of advanced organizations have a risk committee, while only 26% of below-average businesses say the same.

The study also found that the organizations with the most effective information security programs were twice as likely to use metrics--such as tracking user awareness, employee education, and threat volume--to monitor their progress.

Interestingly, the survey also found that security budgets are set to increase significantly. "Two-thirds of respondents expected their information security spending to increase over the next two years, and 87% [of them] expected double-digit increases," said Jarvis.

Who controls security budgets also makes a difference. Notably, IBM found that "in the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets." In other words, security decision-making appears to be most effective when there's a lot of senior-level buy-in regarding how budgets get allocated. Furthermore, 71% of the most advanced organizations made security an actual line item in their budgets, whereas 73% of below-average businesses didn't break out security as a separate line item.

When it comes to line items, "we use that as a proxy for the business paying more attention, or placing more responsibility," said Jarvis.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll