CISOs Win More Respect - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


CISOs Win More Respect

Almost two-thirds of CISOs say their companies' senior execs have increased attention to information security; 60% of advanced security groups call security a regular boardroom topic, IBM study reports.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
Security is getting more respect. To be precise, almost two-thirds of chief information security officers (CISOs) say that senior executives at their businesses are paying more attention to information security, compared with just two years ago.

That finding comes from a new survey of 138 senior business and IT executives who are responsible for their businesses' information security practices. The survey was designed to identify the types of strategies or approaches being pursued by worldwide businesses. Half the respondents worked at businesses with between 1,000 and 10,000 employees. About 20% oversaw security for businesses with more than 10,000 employees.

"Obviously, the security market has been undergoing a pretty significant transformation over the past couple of years, and we thought that security leadership was transitioning as well," said report co-author David Jarvis, a senior consultant at the IBM Center for Applied Insights, via phone. "We wanted to see if the CISO role was becoming more focused, strategic, and holistic."

[ Read Anonymous Drives Security Fears, But Not Spending. ]

In general, those three trends do seem to be taking place, thanks to CISOs facing greater pressure to make their businesses' information security programs perform better, especially in an age of rampant data breaches, hacktivist attacks, and malware outbreaks. "The number-one challenge that respondents told us about were external threats--as opposed to internal threats, compliance and regulations, integrating new technologies, or things like that," said Jarvis. More than half of respondents also labeled their biggest near-term technology concern as securing mobile technology.

But how effective are security programs at dealing with such challenges, and what could they be doing better? To find out, a related report from IBM--co-authored by Jarvis--used the survey respondents' analysis of their security program's maturity, preparedness, and effectiveness to classify the surveyed organizations as being advanced (25%), average (50%), or below average (25%), and then looked for what each group had most in common.

What's notable is the degree to which more advanced organizations track security metrics and have executives who not only pay attention to the security budget, but also to the security program itself. Notably, 60% of advanced organizations say that security is a regular boardroom topic, compared to 22% of below-average organizations. Likewise, 68% of advanced organizations have a risk committee, while only 26% of below-average businesses say the same.

The study also found that the organizations with the most effective information security programs were twice as likely to use metrics--such as tracking user awareness, employee education, and threat volume--to monitor their progress.

Interestingly, the survey also found that security budgets are set to increase significantly. "Two-thirds of respondents expected their information security spending to increase over the next two years, and 87% [of them] expected double-digit increases," said Jarvis.

Who controls security budgets also makes a difference. Notably, IBM found that "in the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets." In other words, security decision-making appears to be most effective when there's a lot of senior-level buy-in regarding how budgets get allocated. Furthermore, 71% of the most advanced organizations made security an actual line item in their budgets, whereas 73% of below-average businesses didn't break out security as a separate line item.

When it comes to line items, "we use that as a proxy for the business paying more attention, or placing more responsibility," said Jarvis.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
How COVID is Changing Technology Futures
Jessica Davis, Senior Editor, Enterprise Apps,  7/23/2020
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
Flash Poll