That finding comes from a new survey of 138 senior business and IT executives who are responsible for their businesses' information security practices. The survey was designed to identify the types of strategies or approaches being pursued by worldwide businesses. Half the respondents worked at businesses with between 1,000 and 10,000 employees. About 20% oversaw security for businesses with more than 10,000 employees.
"Obviously, the security market has been undergoing a pretty significant transformation over the past couple of years, and we thought that security leadership was transitioning as well," said report co-author David Jarvis, a senior consultant at the IBM Center for Applied Insights, via phone. "We wanted to see if the CISO role was becoming more focused, strategic, and holistic."
In general, those three trends do seem to be taking place, thanks to CISOs facing greater pressure to make their businesses' information security programs perform better, especially in an age of rampant data breaches, hacktivist attacks, and malware outbreaks. "The number-one challenge that respondents told us about were external threats--as opposed to internal threats, compliance and regulations, integrating new technologies, or things like that," said Jarvis. More than half of respondents also labeled their biggest near-term technology concern as securing mobile technology.
But how effective are security programs at dealing with such challenges, and what could they be doing better? To find out, a related report from IBM--co-authored by Jarvis--used the survey respondents' analysis of their security program's maturity, preparedness, and effectiveness to classify the surveyed organizations as being advanced (25%), average (50%), or below average (25%), and then looked for what each group had most in common.
What's notable is the degree to which more advanced organizations track security metrics and have executives who not only pay attention to the security budget, but also to the security program itself. Notably, 60% of advanced organizations say that security is a regular boardroom topic, compared to 22% of below-average organizations. Likewise, 68% of advanced organizations have a risk committee, while only 26% of below-average businesses say the same.
The study also found that the organizations with the most effective information security programs were twice as likely to use metrics--such as tracking user awareness, employee education, and threat volume--to monitor their progress.
Interestingly, the survey also found that security budgets are set to increase significantly. "Two-thirds of respondents expected their information security spending to increase over the next two years, and 87% [of them] expected double-digit increases," said Jarvis.
Who controls security budgets also makes a difference. Notably, IBM found that "in the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets." In other words, security decision-making appears to be most effective when there's a lot of senior-level buy-in regarding how budgets get allocated. Furthermore, 71% of the most advanced organizations made security an actual line item in their budgets, whereas 73% of below-average businesses didn't break out security as a separate line item.
When it comes to line items, "we use that as a proxy for the business paying more attention, or placing more responsibility," said Jarvis.
In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.