2012 IBM Chief Information Security Officer Assessment - Executive Summary

  • 1,022 views
Uploaded on

2011 was the year of the security breach. And while many security organizations remain in crisis response mode, some security leaders have moved to take a more proactive position, taking steps to …

2011 was the year of the security breach. And while many security organizations remain in crisis response mode, some security leaders have moved to take a more proactive position, taking steps to reduce future risk. These leaders see their organizations as more mature in their security-related capabilities and better prepared to meet new threats. What have they done to create greater confidence? More importantly, can their actions show the way forward for others?

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,022
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
17
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Introduction - With explosive growth in connectivity and collaboration, information security is becoming increasingly complex and difficult to manage Information security is expanding beyond its technical silo into a strategic, enterprise-wide priority. Some security organizations are rising to the challenge. Our research reveals a distinct pattern of progression – and distinguishing traits of those that are most confident and capable. These forward-thinkers are taking a more proactive, integrated and strategic approach to security, highlighting models worth emulating and the emerging business leadership role of the Chief Information Security Officer (CISO).
  • Why did we decide to undertake this study? Why did we think it was important? We felt that information security leadership was in the process of undergoing a transformation. We wanted to explore the organizational and leadership aspects of information security and test if the role of information security leaders was dramatically changing based on increasing numbers of security challenges and increased attention from business leaders. We interviewed 138 IT and LOB executives – senior decision makers responsible for information security investments – in seven counties across a wide range of industries.
  • Security leaders are under intense pressure and navigating a period of change Information security leaders are charged with protecting some of the enterprise’s most valuable assets – money, customer data, intellectual property and, increasingly, brand. Today’s security risks are fundamentally different; instead of managing current threats, businesses have to be proactive about security. They need to anticipate the kinds of risks that expanding the business or opening up operations to more clients and partners will create. Executive Attention – Nearly two-thirds of CISOs surveyed say their senior executives are paying more attention to security today than they were two years ago as a series of high-profile hacking and data breach incidents have convinced them of the key role that security needs to play in the modern enterprise. Budget & Spend – Nearly two-thirds of respondents expect information security spend to increase over the next two years. Of those, 87% expect double-digit increases and 11% expect increases of more than 50%. Threat – External threats were the top overall challenge and 69% of respondents ranked external threats as either their number one or number two challenge. Challenges – Securing the mobile world is a major challenge – 55% of respondents cited mobile security as a primary technology concern over the next two years. Aspirations – Two years from now, respondents expect to be spending more time reducing potential future risks, and spending less time mitigating current known threats or complying with government/industry mandates. Attention + resources + greater threat + technical challenges + aspiration = a time for change
  • Based on a self-assessment of their security capabilities three groups emerged – what we called – Responders, Protectors and Influencers We asked respondents to assess themselves and their security organizations in two different ways – one strategic and one tactical. From a tactical perspective, we asked how prepared their security organization was for a potential breach or security incident. From a strategic perspective we asked them to assess their overall security maturity – was it adequate or was it world-class. Based on a combination of those two factors – we were able to segment the respondents into three groups. Influencers – This group’s members, 25 percent of those surveyed, see their security organizations as progressive, ranking themselves highly in both maturity and prepared-ness. These security leaders have business influence and authority – a strategic voice in the enterprise. . Protectors – Comprising almost half of our sample, these security leaders recognize the importance of information security as a strategic priority. However, they lack important measurement insight and the necessary budget authority to fully transform their enterprises’ security approach. Responders – This group remains largely in response mode, working to protect the enterprise and comply with regulations and standards but struggling to make strategic headway. They may not yet have the resources or business influence to drive significant change. NOTE: Interestingly, these three security segments are not skewed toward certain demographics. The mix of industries, geographies and enterprise sizes is generally consistent across all groups. There were slight differences (e.g., influencers were weighted slightly to larger organizations) but nothing significant enough to impact the results.
  • What are Influencers doing to make themselves more confident in their capabilities? Through an analysis of security leaders’ responses, we discovered a distinct pattern of evolution among security organizations – and the distinguishing traits of those that are most advanced. We looked at: - Structure and management (how they were organized and how they operated) - Organizational reach (how were they working across the enterprise, collaborating, working with business leadership) - Measures of success (how did they measure progress, how were they assessed) Organizations in the Influencer group are more likely to appoint a CISO – a dedicated leader with a strategic, enterprisewide purview (56% of Influencer respondents) Influencers also tend to have a security steering committee headed by a senior executive, often the CISO (68% of Influencer respondents). The vast majority of Influencers benefit from a dedicated security budget line item supporting their efforts (71% of Influencer respondents). Across the full sample, CIOs typically control the information security budget. However, among Protector and Influencer organizations, investment authority lies with business leaders more often. The Influencers have the attention of business leaders and their boards (77% and 60% respectively). When comparing Influencers to Responders, Influencers are: - 2x more likely to have a dedicated CISO - 2.5x more likely to have a security or risk committee - 3x more likely to have information security as a board topic - 2x more likely to use a standard set of security metrics to track their progress
  • Influencers are turning their attention to people and building a risk-aware culture The Influencers have the attention of business leaders and their boards – security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture . These leaders understand the need for more pervasive risk awareness – and are far more focused on enterprise wide education, collaboration and communication. They are working closely with business functions to create a culture in which employees take a more proactive role in protecting the enterprise. Because they are more integrated with the business, these security organizations are also able to influence the design of new products and services, incorporating security considerations early in the process.
  • Influencers are more likely to measure progress through a wider variety of metrics and devote more attention to systemic change Influencers are twice as likely as Responders to track their progress. Given their intent to build a more risk-aware culture, these organizations measure user awareness and educational programs more than Protectors and Responders do. Because they are concerned with broader, more systemic risks, Influencers are also more likely to assess their ability to deal with future threats and the integration of new technologies. Influencers are not only gaining the attention of business leaders and working collaboratively across the enterprise; they are also being held responsible and accountable for what they do through formal measurements.
  • The case for security leadership Despite constant threats and a growing range of risks, some organizations are more confident and capable. Their approaches highlight the importance of a broader charter for the security function – and a more strategic role for information security leaders. Adopting this more holistic strategy involves significant change. Security leaders must assume a business leadership position and dispel the idea that information security is a technology support function. Their purview must encompass education and cultural change, not just security technology and processes. Leaders will need to reorient their security organizations around proactive risk management rather than crisis response and compliance. To accomplish these objectives, security leaders should construct an action plan based on their current capabilities and most pressing needs.

Transcript

  • 1. IBM Center for Applied InsightsMay 2012Finding a strategic voiceInsights from the 2012 IBM Chief Information Security Officer Assessment IBM Client © 2012 IBM Corporation
  • 2. IBM Center for Applied InsightsWith explosive growth in connectivity and collaboration, information security isbecoming increasingly complex and difficult to manage In 2011, the corporate world experienced the second highest data loss total since 2004 The number of mobile workers is expected to reach 1.3 billion by 2015 At the same time, mobile security threats are increasing – up almost 20 percent in 2011 Sources: Verizon 2012 Data Breach Investigations Report; IDC © 2012 IBM Corporation2
  • 3. IBM Center for Applied InsightsTo obtain a global snapshot of security leaders’ strategies and approaches, weasked 138 security leaders in… • Seven countries • A wide range of industries • ~20% from enterprises with 10,000+ employees • ~55% from enterprises with 1,000-9,999 employees © 2012 IBM Corporation3
  • 4. IBM Center for Applied InsightsSecurity leaders shared their views on how the security landscape is changing Source: IBM Center for Applied Insights © 2012 IBM Corporation4
  • 5. IBM Center for Applied InsightsBased on a self-assessment of their security capabilities, three groups emerged Self-assessed maturity and preparedness One-quarter of security leaders are “Influencers” Source: IBM Center for Applied Insights © 2012 IBM Corporation5
  • 6. IBM Center for Applied InsightsInfluencers are much more likely to have elevated information security to astrategic priority Security Profiles Source: IBM Center for Applied Insights © 2012 IBM Corporation6
  • 7. IBM Center for Applied InsightsInfluencers are turning their attention to people and building a risk-awareculture Source: IBM Center for Applied Insights © 2012 IBM Corporation7
  • 8. IBM Center for Applied InsightsInfluencers are more likely to measure progress through a wider variety ofmetrics and devote more attention to systemic change Importance of Metrics Source: IBM Center for Applied Insights © 2012 IBM Corporation8
  • 9. IBM Center for Applied InsightsSecurity leaders must assume a business leadership position and dispel the ideathat information security is a technology support function Responders can move beyond their tactical focus by:  Establishing a dedicated security leadership role (like a CISO), assembling a security and risk committee, and measuring progress  Automating routine security processes to devote more time and resources to security innovation Protectors can make security more of a strategic priority by:  Investing more of their budgets on reducing future risks  Aligning information security initiatives to broader enterprise priorities  Learning from and collaborating with a network of security peers Influencers can continue to innovate and advance their security approaches by:  Strengthening communication, education and business leadership skills to cultivate a more risk- aware culture  Using insights from metrics and data analysis to identify high-value improvement areas © 2012 IBM Corporation9
  • 10. IBM Center for Applied InsightsFor more information Contact David Jarvis/Providence Client Insights, Senior Consultant, IBM Center for Applied Insights IBM.com http://www.ibm.com/smarter/cai/security © 2012 IBM Corporation10