You want details on security practices, we got 'em.
The 2013 IBM Chief Information Security Officer Assessment study just hit my desk, and I’ve been quickly and voraciously trying to see what’s on the mind of Chief Information Security Officers everywhere (well, mostly everywhere).
In collaboration with the IBM Security Systems and IBM Security Services organizations, the IBM Center For Applied Insights conducted in-depth interviews with 41 senior leaders who have responsibility for information security in their organizations.
The goal: To identify specific organizational practices and behaviors that could strengthen the role and influence of other security leaders.
The security backdrop
As emerging technologies like cloud adoption and mobile computing present new opportunities to organizations, the risk to data grows.
Coupled with sophisticated and advanced threats from attackers, the role of the CISO is becoming more strategic within many organizations. Today’s experienced CISO is required to be both a technologist and a business leader, with the ability to address board level concerns as well as manage complex technologies.
This year’s study uncovered key findings, leading practices, and a set of shortcomings that even mature security leaders are wrestling with.
Looking in depth at three areas -- business practices, technology maturity, and measurement capabilities -- a path emerges that acts as a guide for both new and experienced security leaders.
Business practices: The security leaders interviewed stress the need for strong business vision, strategy and policies, comprehensive risk management, and effective business relations to be impactful in their roles. Understanding the concerns of the C-suite is also critical.
More mature security leaders meet regularly with their boards and C-suites, thereby improving relations. When they meet, the top topics that they discuss include identifying and assessing risks (59 percent), resolving budget issues and requests (49 percent), and new technology deployments (44 percent). The challenge for security leaders is to successfully manage the diverse security concerns of the business.
Technology maturity: Mobile security is the number one “most recently deployed” security technology, with one-quarter of security leaders deploying it in the past 12 months. And although privacy and security in a cloud environment are still concerns, three-fourths (76 percent) have deployed some type of cloud security services -- the most popular being data monitoring and audit, along with federated identity and access management (both at 39 percent).
While cloud and mobile continue to receive a lot of attention within many organizations, foundational technologies that CISOs are focusing on include identity and access management (51 percent), network intrusion prevention and vulnerability scanning (39 percent), and database security (32 percent).
The primary mobile challenge for security leaders is to advance beyond the initial steps and think less about technology and more about policy and strategy. Less than 40 percent of organizations have deployed specific response policies for personally owned devices or an enterprise strategy for bring-your-own-device (BYOD). However, this gap is being recognized -- establishing an enterprise strategy for BYOD (39 percent) and an incident response policy of personally owned devices (27 percent) are the two top planned areas for development for the next 12 months.
Measurement capabilities: Security leaders use metrics mainly to guide budgeting and to make the case for new technology investment. In some cases, they use measurements to help develop strategic priorities for the security organization. In general, however, technical and business metrics are still focused on operational issues.
For example, over 90 percent of interviewees track the number of security incidents, lost or stolen records, data or devices, and audit and compliance status -- fundamental dimensions you would expect all security leaders to track. Far fewer respondents (12 percent) are feeding business and security measures into their enterprise risk processes even though security leaders say the impact of security on overall enterprise risk is their most important success factor.
“It’s evident in this study that security leaders need to focus on finding the delicate balance between developing a strong, holistic security and risk management strategy, while implementing more advanced and strategic capabilities -- such as mobility and BYOD,” said David Jarvis, author of the report and manager at the IBM Center for Applied Insights.
About the assessment
The IBM Center for Applied Insights, in collaboration with IBM Security Systems and IBM Security Services, conducted in-depth interviews with senior leaders who have responsibility for information security in their organizations. The goal of the interviews was to identify specific organizational practices and behaviors that could strengthen the role and influence of other security leaders.
To maintain continuity, interviewees were recruited from the pool of 2012 research participants -- 80 percent of those recruited were prior participants -- with an emphasis on more mature security leaders. Interviewees were from a broad range of industries and four countries. More than 80 percent were associated with large enterprises, and roughly one-third had security budgets of over US$1 million. Access the full study here.
Follow @IBMSecurity on Twitter and learn more at the Security Intelligence Blog.