The IBM Center for Applied Insights and IBM Security present their annual CISO Assessment, with this year’s edition, Fortifying for the future, focusing on continuing issues for security leaders and how they can better prepare for an uncertain future.

1. © 2014 IBM Corporation
Fortifying for the future
Insights from the 2014 IBM Chief Information Security Officer Assessment
December 2014

2. © 2014 IBM Corporation
The CISO Assessments have chronicled critical and emerging issues for
security leaders – while also identifying leading practices to pursue
2
2012 2013 2014
Finding a strategic
voice
A new standard for
security leaders
Fortifying for the
future
Established three
archetypes for security
leaders – the Responder,
the Protector, and the
Influencer – and explored
their characteristics.
Identified practical steps
for security leaders to
reach the position of
Influencer – through
business practices,
technology, and
measurement.
Seeks to define the next
stage in the evolution of
security leadership in order
to provide
recommendations for the
future.

3. © 2014 IBM Corporation
Countries: US, Canada, UK, Australia, India
Industries: Education, Financial Markets, Healthcare
Provider, Retail, Telecommunications, Banking,
Consumer Products, Production/Manufacturing, Utilities
and Energy, Insurance, Media and Entertainment,
Travel and Transportation, Electronics, Aerospace and
Defense, Agriculture, Automotive, Chemicals,
Wholesale, Biotechnology/Life Sciences
63% of organizations surveyed
had a named CISO
To explore the future of security leadership, we performed 138 in-depth
interviews with organizations’ senior-most security leaders
3

4. © 2014 IBM Corporation
For the vast majority of security leaders, the world has dramatically changed
in the last three years. Leaders are:
4

5. © 2014 IBM Corporation
A large majority of organizations have redefined their
view of security over the past three years
More influence
90% strongly agree that they have significant influence in their
organization
76% say that their degree of influence has significantly increased in the
last 3 years
Organizational
support
71% strongly agree that they are receiving the organizational support that
they need
Strong internal
collaboration
82% participate in strategic/C-suite meetings quarterly or more frequently
62% develop their security strategy in conjunction with other strategies
(primarily IT, risk, and operations)
5

6. © 2014 IBM Corporation
The threat is considered so great that many feel like
they are losing the fight
83% say that the challenge posed by external threats has increased in the last three
years (42% said dramatically)
59% strongly agree that the sophistication of attackers is outstripping the sophistication
of their organization’s defenses
40% say that sophisticated external threats are their top current challenge – the number
one area overall
6
External threats will require the most organizational effort over the
next three to five years – as much as regulations, new technologies,
and internal threats combined

7. © 2014 IBM Corporation7

8. © 2014 IBM Corporation
To better manage risk, security leaders need to start
securing ecosystems, not just their own organizations
8
62% strongly agree that the risk level to
their organization is increasing due to the
number of interactions and connections with
customers, partners, and suppliers
86% think that formal industry-related
security organizations will become more
necessary in the next 3-5 years – but only
42% are currently members of such
organizations today
Security leaders are more likely to share threat
information with some parties than others

9. © 2014 IBM Corporation
New technology is seen as the primary way to minimize
gaps, but emerging areas may need a different approach
9
54% can not envision new security technologies that are
needed beyond what currently exists
72% strongly agree that real time security intelligence is becoming
increasingly important to their organization
86% have adopted cloud or have initiatives in the planning stage – of those,
three-fourths see their cloud security budget increasing over the next 3-5 years
Only 45% strongly agree that they have an effective mobile device
management approach

10. © 2014 IBM Corporation10
While some established
capabilities are widely seen
as mature, other important
areas like mobile and device
security need to catch up

11. © 2014 IBM Corporation
Regulations and standards will continue to be major
factors – but there is great uncertainty over exactly how
79% said the challenge from regulations and standards has increased over the past
three years
Regulations and standards was the #2 area requiring the most organizational effort to
address in the next three to five years (46% put it in their top three)
Given possible scenarios for the future, security leaders were most uncertain about
whether governments will handle security governance on a national or global level and
how transparent they will be
Only 22% think that a global approach to combating cybercrime will be agreed upon in
the next three to five years
11

12. © 2014 IBM Corporation
There are a number of actions security leaders can take today to begin
fortifying their organizations for the future
Enhance education and leadership skills
Technology skills continue to be important, but pure business skills
will take on more importance with security leaders’ growing influence
Shore up cloud, mobile, and data security
Leaders are not waiting for future technology capabilities to solve their
problems, they are focused on deploying today’s security technologies
to minimize their gaps
Engage in more external collaboration
Leaders should make a concerted effort to determine how to build trust
and clearly assess the security of their ecosystem
Plan for multiple government scenarios
Regular dialogue with chief privacy officers and general counsels
is essential for leaders to understand what requirements may arise
12

13. © 2014 IBM Corporation
For more information
David A. Jarvis
Manager, Thought Leadership, IBM Center for Applied Insights
djarvis@us.ibm.com
www.ibm.com/ibmcai/ciso
www.ibm.com/security/ciso

14. © 2014 IBM Corporation© 2014 IBM Corporation14
© Copyright IBM Corporation 2014
IBM Corporation
New Orchard Road
Armonk, NY 10504
Produced in the United States of America
December 2014
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corporation in the United States, other countries or both. If these and other IBM
trademarked terms are marked on their first occurrence in this information with a trademark
symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned
by IBM at the time this information was published. Such trademarks may also be registered
or common law trademarks in other countries. Other product, company or service names
may be trademarks or service marks of others. A current list of IBM trademarks is available
on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be changed by IBM at
any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY
WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY
OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the
terms and conditions of the agreements under which they are provided.