Finding a Strategic Voice - IBM CISO Study


Published on

Insights from the 2012 IBM Chief Information Security Officer Assessment and the role of the CISO

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Finding a Strategic Voice - IBM CISO Study

  1. 1. Finding a Strategic VoiceInsights from the 2012 IBM ChiefInformation Security OfficerAssessment© 2012 IBM Corporation
  2. 2. IBM Security ServicesIBM CISO Scope One of the largest and most complex internal IT infrastructures in the world 2,000-plus major sites 400,000-plus employees 800,000-plus traditional endpoints 170-plus countries About 200,000-plus About 50 percent of employees contractors are mobile Major employee sites Customer fulfillment Manufacturing Employee Service Centers IBM Research Centers IBM Internal Data Centers + Strategic 3K Strategic Outsourcing Customers © 2012 IBM Corporation
  3. 3. IBM Security ServicesOur customers are just beginning to appoint CISOs CFO CIO or CTO CLO CRO CSO (aka Chief Information Security Officer) 81% of CISO functions are re- Risk & Compliance organizing or have been re-organized Policy & Education within the last 6 months. Architecture (tools) Changes include increased scope, Operations change in reporting line. Incident Response Source: Corporate Executive. Board, IREC Study, July 2012 © 2012 IBM Corporation
  4. 4. IBM Security ServicesIBM’s 2012 Chief Information Security Officer Study Explores the organizational and leadership aspects of information security Tests if the role of information security leaders has dramatically changing based on: – Increasing numbers of security challenges – More attention from business leaders Included senior IT decision-makers across a broad range of industries Respondents included a combination of Large Enterprise (73%) and Mid-Market (27%)4 © 2012 IBM Corporation
  5. 5. IBM Security ServicesSecurity leaders agree: the security landscape is changing Nearly two-thirds say Two-thirds expect senior executives are to spend more on paying more attention security over the next to security issues. two years. External threats More than one-half say are rated as a bigger mobile security is their greatest near- challenge than internal threats, new term technology technology or compliance. concern. © 2012 IBM Corporation
  6. 6. IBM Security ServicesBusiness leaders are paying more attention to security issues64% say attention from business leadership has increased over the past two years “Almost every day we hear about other companies receiving Awareness of threats cyber attacks.” via media outlets “We were the victims of a hacker attack and lost a lot of important information.” Increased external risks (prior experience) “[Due to] the risk of law suits, competitors gaining our info, and compliance fines.” Compliance/regulatory pressure “I think the main driver is [that] our corporate headquarters is focusing on this area and pushing the info to business leadership.” Priority of executive leadership “Internal information, for example, the exchange with colleagues and customers, lead to an increase in attentiveness.” Internal risks © 2012 IBM Corporation
  7. 7. IBM Security Services Security leaders see external threats as greatest challenge today The emergence of “de-perimiterizing” technologies Primary Security Challenges to Organization Technology Concerns Over Next 2 Years 10% External threats 35% 16% Internal threats 25% 55% New technologies and 20% technology trends 20%Regulations and standards 20% Mobility Database storage Cloud computing Other Base sizes: CISO Total = 138 69% of respondents ranked external threats as either their #1 or #2 challenge 55% rated mobility issues their primary technology concern over next two years 7 © 2012 IBM Corporation
  8. 8. IBM Security ServicesSecurity leaders are emerging as a key business decision-makersMore strategic leadership roles are now expected in next two years “It is going to become more prominent, a Chief Security Officer Higher who will report to the CEO, not just IT related.” importance “…will have a much larger say in the matter…influence and his decision-making power within the company will grow.” Wider “More accountable to the business. Their audience is expanding.” responsibility “In general their role will be moving away from specific risks to global risks. The role will be much larger than it used to be.” “The leaders will create new tools to avoid risks.” Shifting priorities “…will work more in the policy field... There will be a continuous adjustment of policies in order to protect access to information and the access and transfer of data.” © 2012 IBM Corporation
  9. 9. IBM Security ServicesThree types of Security Leadership Models “Security leaders are becoming more closely integrated into the business… …and more independent of information technology.” Responders Protectors Influencers • Establishing a dedicated • Aligning security initiatives • Strengthening security leadership role to broader enterprise communication, education • Automating routine priorities and business leadership security processes • Learning from and • Using insights from metrics • Primary driver: Crisis collaborating with a and data analysis network of security peers • Primary Driver: Risk • Primary driver: Compliance © 2012 IBM Corporation
  10. 10. IBM Security ServicesInfluencers vs. Responders 2x more likely to have a dedicated CISO 2.5x more likely to have a security or risk committee 3x more likely to have information security as a board topic 2x more likely to use standard security metrics to track progress more likely to be focused on improving enterprise wide 4x communication and collaboration over the next two years more likely to focus on providing education and awareness than 2x implementing new security technology over next two years © 2012 IBM Corporation
  11. 11. IBM Security ServicesThe CISO action plan… Move beyond the tactical focus by… Responders •Establishing a dedicated security leadership role •Assembling a security and risk committee •Measuring progress Make security more of a strategic priority by… •Investing more budget on reducing future risks Protectors •Aligning security initiatives with enterprise priorities •Collaborating and learning with a network of peers Innovate and advance security approaches by… • Strengthening communication, education and business Influencers leadership skills to cultivate a more risk-aware culture • Using insights from metrics and data analysis to identify high-value improvement areas © 2012 IBM Corporation
  12. 12. IBM Security Systems Your questions?12 © 2012 IBM Corporation
  13. 13. IBM Security Systems13 © 2012 IBM Corporation IBM Confidential- v2.7 08/13/12