CISOs Win More Respect - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


CISOs Win More Respect

Almost two-thirds of CISOs say their companies' senior execs have increased attention to information security; 60% of advanced security groups call security a regular boardroom topic, IBM study reports.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
Security is getting more respect. To be precise, almost two-thirds of chief information security officers (CISOs) say that senior executives at their businesses are paying more attention to information security, compared with just two years ago.

That finding comes from a new survey of 138 senior business and IT executives who are responsible for their businesses' information security practices. The survey was designed to identify the types of strategies or approaches being pursued by worldwide businesses. Half the respondents worked at businesses with between 1,000 and 10,000 employees. About 20% oversaw security for businesses with more than 10,000 employees.

"Obviously, the security market has been undergoing a pretty significant transformation over the past couple of years, and we thought that security leadership was transitioning as well," said report co-author David Jarvis, a senior consultant at the IBM Center for Applied Insights, via phone. "We wanted to see if the CISO role was becoming more focused, strategic, and holistic."

[ Read Anonymous Drives Security Fears, But Not Spending. ]

In general, those three trends do seem to be taking place, thanks to CISOs facing greater pressure to make their businesses' information security programs perform better, especially in an age of rampant data breaches, hacktivist attacks, and malware outbreaks. "The number-one challenge that respondents told us about were external threats--as opposed to internal threats, compliance and regulations, integrating new technologies, or things like that," said Jarvis. More than half of respondents also labeled their biggest near-term technology concern as securing mobile technology.

But how effective are security programs at dealing with such challenges, and what could they be doing better? To find out, a related report from IBM--co-authored by Jarvis--used the survey respondents' analysis of their security program's maturity, preparedness, and effectiveness to classify the surveyed organizations as being advanced (25%), average (50%), or below average (25%), and then looked for what each group had most in common.

What's notable is the degree to which more advanced organizations track security metrics and have executives who not only pay attention to the security budget, but also to the security program itself. Notably, 60% of advanced organizations say that security is a regular boardroom topic, compared to 22% of below-average organizations. Likewise, 68% of advanced organizations have a risk committee, while only 26% of below-average businesses say the same.

The study also found that the organizations with the most effective information security programs were twice as likely to use metrics--such as tracking user awareness, employee education, and threat volume--to monitor their progress.

Interestingly, the survey also found that security budgets are set to increase significantly. "Two-thirds of respondents expected their information security spending to increase over the next two years, and 87% [of them] expected double-digit increases," said Jarvis.

Who controls security budgets also makes a difference. Notably, IBM found that "in the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets." In other words, security decision-making appears to be most effective when there's a lot of senior-level buy-in regarding how budgets get allocated. Furthermore, 71% of the most advanced organizations made security an actual line item in their budgets, whereas 73% of below-average businesses didn't break out security as a separate line item.

When it comes to line items, "we use that as a proxy for the business paying more attention, or placing more responsibility," said Jarvis.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll