The document summarizes the findings of a study conducted by IBM's Center for Applied Insights that interviewed 138 security leaders from different industries and countries. It found that security organizations can be categorized into three groups: Influencers, Protectors, and Responders based on their self-assessment of security maturity and preparedness. Influencers have the most strategic approach, seeing security as a business priority. They are more likely to have a dedicated CISO, security budget, and measure progress. The study shows that Influencers' integrated, risk-based approach can serve as a model for other organizations looking to improve their security posture and leadership.
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
The document discusses an interview with James Christiansen, VP of Information Risk Management for Optiv Security, which was formed from the merger of Accuvant and Fishnet Security. Christiansen discusses how the role of CISO is changing to focus more broadly on information risk management (CIRO). He emphasizes the importance of aligning cybersecurity spending with business objectives and risk exposure. In an ideal security program, there would be clear governance, reporting to the executive team, and balance between protective measures, visibility, and incident response capabilities. The document ends by discussing questions boards should ask executives about cybersecurity risks and oversight of the security program.
Hp arc sight_state of security ops_whitepaperrickkaun
The document summarizes findings from security operations maturity assessments conducted by HP on 69 security operations centers (SOCs) globally since 2008. Key findings include:
1) The average maturity level of SOCs remains below the ideal level of 3 on HP's 5-level scale, with 24% unable to provide consistent security monitoring and only 30% meeting business/compliance goals.
2) Having experienced a public data breach is often the fastest path to a more capable SOC, as companies then have a clear business case for investment.
3) Reliance on technology alone is insufficient - investment in skilled security analysts is also needed to effectively detect and respond to modern threats.
4) Industry alignment can directly impact
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
This document discusses cybersecurity risks that boards of directors need to address. It notes that 48% of directors cited data security as their top concern in a recent study, up from 25% in 2008. The document recommends that boards oversee management's efforts to mitigate cyber threats, assess risks, and devote adequate resources. It emphasizes that boards should communicate the importance of cybersecurity to management and create a culture that views it as a responsibility. While technical issues may be daunting, boards are not expected to be experts and should rely on management and consultants for advice.
The results of this year’s Internal Audit Capabilities and Needs Survey show that, not surprisingly, cybersecurity represents a major focus for internal audit programs, but it is far from the only pressing issue on internal audit’s plate
CISOs are moving from compliance-based cybersecurity programs to risk-based programs focused on addressing the real security risks organizations face. They are adopting sophisticated frameworks to assess threats, prioritize investments, and communicate strategy to stakeholders. Frameworks provide standards and best practices to protect systems and data, helping CISOs focus on strategic goals rather than just checking boxes. Customizing frameworks based on an organization's unique risks and needs leads to deeper understanding and more effective security programs.
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
The document discusses an interview with James Christiansen, VP of Information Risk Management for Optiv Security, which was formed from the merger of Accuvant and Fishnet Security. Christiansen discusses how the role of CISO is changing to focus more broadly on information risk management (CIRO). He emphasizes the importance of aligning cybersecurity spending with business objectives and risk exposure. In an ideal security program, there would be clear governance, reporting to the executive team, and balance between protective measures, visibility, and incident response capabilities. The document ends by discussing questions boards should ask executives about cybersecurity risks and oversight of the security program.
Hp arc sight_state of security ops_whitepaperrickkaun
The document summarizes findings from security operations maturity assessments conducted by HP on 69 security operations centers (SOCs) globally since 2008. Key findings include:
1) The average maturity level of SOCs remains below the ideal level of 3 on HP's 5-level scale, with 24% unable to provide consistent security monitoring and only 30% meeting business/compliance goals.
2) Having experienced a public data breach is often the fastest path to a more capable SOC, as companies then have a clear business case for investment.
3) Reliance on technology alone is insufficient - investment in skilled security analysts is also needed to effectively detect and respond to modern threats.
4) Industry alignment can directly impact
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
This document discusses cybersecurity risks that boards of directors need to address. It notes that 48% of directors cited data security as their top concern in a recent study, up from 25% in 2008. The document recommends that boards oversee management's efforts to mitigate cyber threats, assess risks, and devote adequate resources. It emphasizes that boards should communicate the importance of cybersecurity to management and create a culture that views it as a responsibility. While technical issues may be daunting, boards are not expected to be experts and should rely on management and consultants for advice.
The results of this year’s Internal Audit Capabilities and Needs Survey show that, not surprisingly, cybersecurity represents a major focus for internal audit programs, but it is far from the only pressing issue on internal audit’s plate
CISOs are moving from compliance-based cybersecurity programs to risk-based programs focused on addressing the real security risks organizations face. They are adopting sophisticated frameworks to assess threats, prioritize investments, and communicate strategy to stakeholders. Frameworks provide standards and best practices to protect systems and data, helping CISOs focus on strategic goals rather than just checking boxes. Customizing frameworks based on an organization's unique risks and needs leads to deeper understanding and more effective security programs.
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
This global study, conducted by the Economist Intelligence Unit (EIU) and sponsored by Palo Alto Networks, sheds light on the ways business leaders are dealing with the increasing volume of threats they face from insecurities that arise because of disruption beyond their corporate borders.
For in-depth interviews from industry leaders on how companies are combating security threats, go to https://goo.gl/fXcnLN
Cybersecurity has escalated to a major board-level concern and corporate governance issue. Boards of directors now play an important oversight role in ensuring organizations have adequate cybersecurity measures, response plans, and roadmaps to address growing threats. Management is responsible for executing specific security steps, while the board provides advisory and monitoring functions. These include assessing security readiness, stress testing response plans, conducting independent reviews, and establishing long-term strategies. With continued board guidance, organizations can better mitigate risks and adapt to changing cyber threats.
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
Digital has increased businesses’ cybersecurity risk – and yet few have elevated security to a senior leadership concern, according to our recent research. Here’s what businesses are thinking about cybersecurity, and a framework for strengthening their security strategies.
Developing Metrics for Information Security Governancedigitallibrary
Information security has become a critical issue within organizations, and a key success factor for businesses. To effectively maintain the integrity and security of an organization's information infrastructure effective security metrics and measures must be developed, implemented and monitored. Learn about enterprise security metrics and the concepts that must be considered when developing, implementing, and monitoring them. Understand how to identify measurable points and activities, develop meaningful metrics and measures and monitor concepts. Case studies and scenarios demonstrate operational scenarios for the benefits and challenges of securing information.
The document summarizes the findings of a 2017 study on the cost of cybercrime. Some key findings include:
1) The average annual cost of cybercrime increased significantly from the previous year, rising 27.4% to $11.7 million.
2) Costs varied significantly by country, with the US having the highest average cost at $21 million and Australia the lowest at $5.41 million. Germany saw costs rise the most, increasing 42.4% from the previous year.
3) Spending on security technologies that provide the greatest cost savings, like security intelligence systems, could help organizations better balance their security investments and reduce cybercrime costs.
This document summarizes interviews with 20 CISOs and CIOs from ACSC member organizations on the current state of board engagement in cybersecurity. The key findings are organized around five elements of the relationship between boards and management: 1) Boards currently have limited expertise in cybersecurity issues; 2) Cybersecurity is not consistently integrated into corporate strategies and budgets; 3) Metrics and measurements to evaluate cybersecurity performance are still maturing; 4) Structures for board oversight of cybersecurity can be improved; 5) Management seeks to build board expertise to facilitate more strategic partnerships on balancing digital transformations and cybersecurity risks. The document provides recommendations to advance board engagement.
2015 Scalar Security Study Executive Summarypatmisasi
The document summarizes a study on the cyber security readiness of Canadian organizations. It finds that only 41% of respondents believe they are winning the cyber war due to challenges like lack of in-house expertise. Organizations experience an average of 34 cyber attacks per year, with almost half involving sensitive information loss. High-performing organizations that invest more in cyber security (12% of IT budget vs 8% for low performers) are better prepared to mitigate risks and experienced fewer attacks involving information loss (38% vs 53%). The practices of high performers can help organizations improve cyber security effectiveness.
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
For Corporate Boards, a Cyber Security Top 10David X Martin
Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good management-practices perspective rather than a technical perspective.
Cybersecurity risks affect all senior executives in an organization. While the CEO may want to delegate cybersecurity to the CTO, effective programs require input from multiple stakeholders. A comprehensive understanding of technical, financial, and regulatory risks is needed to develop an appropriate strategy. Regular communication to the CEO should focus on trends, risks, and major incidents rather than technical details. Quantifying potential financial losses from data breaches can help obtain support for necessary security investments.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
Assessing and Managing IT Security RisksChris Ross
Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
The document discusses the importance of separating the roles of information security (InfoSec) and information technology (IT) within organizations. It argues that InfoSec and IT have different priorities, with InfoSec focused on evaluating and mitigating risks, and IT focused on enabling business operations through technology. The document also suggests that the InfoSec role should be separated into three distinct roles - the technical information security officer, business information security officer, and strategic information security officer - to properly address security issues at different levels of the organization. By separating but closely aligning the InfoSec and IT roles, organizations can better protect their information assets against modern cyber threats.
This document summarizes a webinar on meeting the cyber risk challenge. The webinar discussed how cyber attacks are increasing in frequency and impact. While organizations are becoming more concerned about cyber security, many are still not strategically focused on the issue. The webinar advocates for an enterprise risk management approach involving all departments and stakeholders. It also discusses the role of cyber risk insurance to cover gaps in traditional insurance policies.
CISOs are moving from compliance-based cybersecurity programs to risk-based programs focused on the organization's strategic needs. Frameworks help CISOs assess risks, prioritize threats, develop strategies, and communicate priorities to gain support. While compliance is still important, frameworks drive strategic investments in reducing the highest risks. CISOs customize frameworks and use third-party skills and data to implement risk-based programs.
The document discusses findings from a 2013 IBM study on the role of Chief Information Security Officers (CISOs). Key findings include:
- More mature security leaders focus on strategy, policies, education, risks, and business relations.
- Leaders build trust by communicating transparently and frequently.
- Foundational security technologies like identity and access management are still important.
- Mobile security has significant attention and investment.
- Metrics are used more for budgets than risk, and need to be translated to business language.
The challenges security leaders face include managing diverse stakeholder concerns, improving mobile security policy not just technology, and translating metrics to business impact. More strategic, risk-focused security leadership is emerging as the new standard
Russell Reynolds Associates aborda cinco cuestiones de liderazgo en materia de ciberseguridad que los Consejos de Administración y los ejecutivos deben preguntarse. Estas cuestiones abarcan diversos aspectos, desde el nivel de preparación del Consejo hasta la gestión del talento para proteger el negocio de una forma integral.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
Who is responsible for security in the enterprise? Every company takes a different approach, but in many cases, accountability and authority do not reside in the same role. When this happens, it’s hard to tell who is responsible for securing digital assets. No wonder executives are worried.
This global study, conducted by the Economist Intelligence Unit (EIU) and sponsored by Palo Alto Networks, sheds light on the ways business leaders are dealing with the increasing volume of threats they face from insecurities that arise because of disruption beyond their corporate borders.
For in-depth interviews from industry leaders on how companies are combating security threats, go to https://goo.gl/fXcnLN
Cybersecurity has escalated to a major board-level concern and corporate governance issue. Boards of directors now play an important oversight role in ensuring organizations have adequate cybersecurity measures, response plans, and roadmaps to address growing threats. Management is responsible for executing specific security steps, while the board provides advisory and monitoring functions. These include assessing security readiness, stress testing response plans, conducting independent reviews, and establishing long-term strategies. With continued board guidance, organizations can better mitigate risks and adapt to changing cyber threats.
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
Digital has increased businesses’ cybersecurity risk – and yet few have elevated security to a senior leadership concern, according to our recent research. Here’s what businesses are thinking about cybersecurity, and a framework for strengthening their security strategies.
Developing Metrics for Information Security Governancedigitallibrary
Information security has become a critical issue within organizations, and a key success factor for businesses. To effectively maintain the integrity and security of an organization's information infrastructure effective security metrics and measures must be developed, implemented and monitored. Learn about enterprise security metrics and the concepts that must be considered when developing, implementing, and monitoring them. Understand how to identify measurable points and activities, develop meaningful metrics and measures and monitor concepts. Case studies and scenarios demonstrate operational scenarios for the benefits and challenges of securing information.
The document summarizes the findings of a 2017 study on the cost of cybercrime. Some key findings include:
1) The average annual cost of cybercrime increased significantly from the previous year, rising 27.4% to $11.7 million.
2) Costs varied significantly by country, with the US having the highest average cost at $21 million and Australia the lowest at $5.41 million. Germany saw costs rise the most, increasing 42.4% from the previous year.
3) Spending on security technologies that provide the greatest cost savings, like security intelligence systems, could help organizations better balance their security investments and reduce cybercrime costs.
This document summarizes interviews with 20 CISOs and CIOs from ACSC member organizations on the current state of board engagement in cybersecurity. The key findings are organized around five elements of the relationship between boards and management: 1) Boards currently have limited expertise in cybersecurity issues; 2) Cybersecurity is not consistently integrated into corporate strategies and budgets; 3) Metrics and measurements to evaluate cybersecurity performance are still maturing; 4) Structures for board oversight of cybersecurity can be improved; 5) Management seeks to build board expertise to facilitate more strategic partnerships on balancing digital transformations and cybersecurity risks. The document provides recommendations to advance board engagement.
2015 Scalar Security Study Executive Summarypatmisasi
The document summarizes a study on the cyber security readiness of Canadian organizations. It finds that only 41% of respondents believe they are winning the cyber war due to challenges like lack of in-house expertise. Organizations experience an average of 34 cyber attacks per year, with almost half involving sensitive information loss. High-performing organizations that invest more in cyber security (12% of IT budget vs 8% for low performers) are better prepared to mitigate risks and experienced fewer attacks involving information loss (38% vs 53%). The practices of high performers can help organizations improve cyber security effectiveness.
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
For Corporate Boards, a Cyber Security Top 10David X Martin
Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good management-practices perspective rather than a technical perspective.
Cybersecurity risks affect all senior executives in an organization. While the CEO may want to delegate cybersecurity to the CTO, effective programs require input from multiple stakeholders. A comprehensive understanding of technical, financial, and regulatory risks is needed to develop an appropriate strategy. Regular communication to the CEO should focus on trends, risks, and major incidents rather than technical details. Quantifying potential financial losses from data breaches can help obtain support for necessary security investments.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
Assessing and Managing IT Security RisksChris Ross
Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
The document discusses the importance of separating the roles of information security (InfoSec) and information technology (IT) within organizations. It argues that InfoSec and IT have different priorities, with InfoSec focused on evaluating and mitigating risks, and IT focused on enabling business operations through technology. The document also suggests that the InfoSec role should be separated into three distinct roles - the technical information security officer, business information security officer, and strategic information security officer - to properly address security issues at different levels of the organization. By separating but closely aligning the InfoSec and IT roles, organizations can better protect their information assets against modern cyber threats.
This document summarizes a webinar on meeting the cyber risk challenge. The webinar discussed how cyber attacks are increasing in frequency and impact. While organizations are becoming more concerned about cyber security, many are still not strategically focused on the issue. The webinar advocates for an enterprise risk management approach involving all departments and stakeholders. It also discusses the role of cyber risk insurance to cover gaps in traditional insurance policies.
CISOs are moving from compliance-based cybersecurity programs to risk-based programs focused on the organization's strategic needs. Frameworks help CISOs assess risks, prioritize threats, develop strategies, and communicate priorities to gain support. While compliance is still important, frameworks drive strategic investments in reducing the highest risks. CISOs customize frameworks and use third-party skills and data to implement risk-based programs.
The document discusses findings from a 2013 IBM study on the role of Chief Information Security Officers (CISOs). Key findings include:
- More mature security leaders focus on strategy, policies, education, risks, and business relations.
- Leaders build trust by communicating transparently and frequently.
- Foundational security technologies like identity and access management are still important.
- Mobile security has significant attention and investment.
- Metrics are used more for budgets than risk, and need to be translated to business language.
The challenges security leaders face include managing diverse stakeholder concerns, improving mobile security policy not just technology, and translating metrics to business impact. More strategic, risk-focused security leadership is emerging as the new standard
Russell Reynolds Associates aborda cinco cuestiones de liderazgo en materia de ciberseguridad que los Consejos de Administración y los ejecutivos deben preguntarse. Estas cuestiones abarcan diversos aspectos, desde el nivel de preparación del Consejo hasta la gestión del talento para proteger el negocio de una forma integral.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
Who is responsible for security in the enterprise? Every company takes a different approach, but in many cases, accountability and authority do not reside in the same role. When this happens, it’s hard to tell who is responsible for securing digital assets. No wonder executives are worried.
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
Business theft and fraud have morphed into significant new threats as companies battle well-funded, highly motivated digital adversaries. Cyber defense rules have clearly changed.
Executive leaders must recognize how exposed their organizations are today and take steps to establish a holistic, end-to-end security strategy capable of protecting their most valuable assets and business operations.
This document provides a summary of findings from Hewlett Packard Enterprise's (HPE) annual assessment of the capabilities and maturity of cyber defense organizations. Some key findings include that only 15% of assessed organizations have achieved recommended maturity levels, the median maturity level remains below optimal, and adoption of hybrid infrastructure, staffing models, and automation has increased due to skills shortages and the need to monitor complex IT environments. HPE believes that most organizations should target a maturity level of 3, defined processes, but that truly innovative security operations are moving towards threat hunting, data analytics, and intelligence sharing.
The document discusses improvements organizations have made to address cyber threats, but also areas that still need work. It finds that many organizations now recognize the extent of cyber threats, with 76% owning information security policies at the highest level. 70% conduct security assessments of third parties accessing their data. However, the document notes that while improvements have been made, organizations need to do more quickly to address increasing cyber risks. Leading practices and innovation are needed to better protect against known and unknown future threats.
Information Security assessment of companies in Germany, Austria and Switzerland, February 2015.
Every day critical security incidents show the drastic extent of "successful" cyber attacks for organizations in terms of monetary and material loss. With increasing use of digital technologies and the growing spread of mobile and IoT cyber security is becoming a key factor for companies’ successful digital transformation. To analyze current challenges, trends and maturity of companies state of information security, Capgemini Consulting DACH conducted a survey in Germany, Austria and Switzerland. The 2014 Information Security Benchmarking Study shows that information security is insufficiently embedded in most companies‘ business strategy and operations to effectively safeguard organizations against current cyber threats.
https://www.de.capgemini-consulting.com/resources/information-security-benchmarking
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
Learn how cognitive security may be a powerful tool in addressing challenges security professionals face.
New capabilities for a
challenging era
Security leaders are working to address three gaps
in their current capabilities
—
in intelligence, speed
and accuracy. Some organizations are beginning to
explore the potential of cognitive security solutions
to address these gaps and get ahead of their risks
and threats. There are high expectations for this
technology. Fifty-seven percent of the security
leaders we surveyed believe that it can significantly
slow the ef forts of cybercriminals. The 22 percent of
respondents who we call “Primed” have started their
journey into the cognitive era of cybersecurity
—
they
believe they have the familiarity, the maturity and the
resources they need. To begin the journey, it is
important to explore your weaknesses, determine
how you want to augment your capabilities with
cognitive solutions and think about building education
and investment plans for your stakeholders.
This document provides guidance for chief information security officers (CISOs) on engaging with their organization's board of directors regarding cybersecurity. It notes that boards are increasingly involved in overseeing security due to regulatory pressures and high-profile data breaches. The document offers advice on how CISOs can establish effective communication with boards, including translating technical security topics into business impacts and risks, benchmarking the organization's security posture against industry peers, and quantifying security issues and their associated costs and risk exposure. The goal is for CISOs to gain board support for their security programs and help boards understand security's strategic importance in reducing risks to the business.
Under cyber attack: EY's Global information security survey 2013EY
This document summarizes the key findings from a survey of over 1,900 organizations on cybersecurity threats and responses. Some of the main points include:
- Many organizations have improved their cybersecurity programs but still have work to do to address evolving threats. Top priorities include business continuity, cyber risks, and data protection.
- Budgets for cybersecurity are increasing for 43% of organizations, but information security professionals still feel budgets are insufficient.
- Focus is shifting from basic security operations to improving and innovating programs. However, skilled resources and executive support still lag behind needs.
- Around half of organizations now align their security strategy with business and IT strategies, showing increased understanding of security's importance.
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
This document summarizes findings from 118 security operations maturity assessments of 87 organizations in 18 countries. It finds that the median maturity level remains below the ideal level of 3, and 20% of organizations scored below the minimum level of 1. The top issue facing security operations is the shortage of skilled resources. While organizations are investing in new technologies, many neglect operational budgets and processes, resulting in immature capabilities. Visible breaches have increased focus on security from executive leadership and boards.
This document discusses best practices for cybersecurity policy and governance in government organizations. It emphasizes the importance of aligning security policies with business objectives to enable operations rather than hinder them. Effective risk management requires identifying critical assets, analyzing threats and vulnerabilities, and understanding breach implications. It also stresses the need for strong executive support of security policies and constant policy refreshment as technologies change.
Cyber-security is the number one technology issue in the C-suite and Board Room. No wonder that many senior executives are asking what they can be doing to stem the tide of cyber-attacks on their firms.
The document discusses the challenges of hiring the right Chief Information Security Officer (CISO) for financial services firms. It notes that the CISO role is still evolving and there is no consensus on the required qualifications. It recommends that firms clarify the CISO role and their security needs by making cybersecurity a board-level priority, assessing their current security posture and vulnerabilities, and evaluating their security culture. Taking these steps will help firms define the right profile for their next CISO candidate.
The document discusses how investing more in cybersecurity does not necessarily lead to better outcomes. While 99% of organizations have a security risk management strategy, those that are confident in their strategy (42%) significantly outperform those that are not (57%) in key business metrics like costs, efficiency, and customer satisfaction. The document advocates for focusing on a risk management strategy that is business-driven and updated regularly rather than excessive spending on cybersecurity, in order to free up resources for digital transformation initiatives. It provides perspectives from IT professionals on challenges with visibility, staying current on threats, and needing a framework to guide decisions.
The document summarizes the findings of a report analyzing the capabilities and maturity of 87 cyber defense organizations across 18 countries based on 118 assessments conducted by HP. The key findings were that the median maturity score of cyber defense teams is well below the ideal level of 3, with 20% of organizations failing to achieve even basic security monitoring capabilities. Common issues included lack of skilled resources, immature processes, and an over-reliance on technology without consideration of people and business factors. The report provides insights into industry trends and recommendations for improving security operations maturity.
1. How often do you see non-sanctioned cloud services in use?
2. Are we protecting ourselves against insider threats?
3. Do we have a cyber security task force in place?
4. Is our BYOD policy secure?
5. Do you feel limited by your security budget or staff size?
Organizations are increasing spending on cybersecurity but many still have vulnerabilities. While larger organizations are improving protection and increasing budgets, over 75% still lack sufficient cybersecurity. Common vulnerabilities include careless employees, outdated security controls, and unauthorized access. Few organizations have matured programs across threat intelligence, vulnerability management, breach detection and response. Most breaches go undetected, and many organizations only increase security after experiencing harm from a breach. Overall, while awareness and spending are rising, many organizations still have work to do to strengthen basic protections of their most critical assets and information.
Security has risen to the top of the agenda amongst most C-suite executives and boards of directors today. Rapidly evolving security threats pose an ongoing, central challenge, as companies and governments face an increasingly sophisticated threat environment.
Accenture collaborated with the Ponemon Institute, LLC to explore the success factors of companies that demonstrated measurable improvement in security effectiveness over a period of two years. Find out how leapfrog organizations are improving their security posture and more quickly detecting security threats.
This white paper discusses the challenges of hiring the right Chief Information Security Officer (CISO) and provides recommendations to improve the hiring process. It notes that the CISO role is still evolving and most executives do not fully understand the role's responsibilities. It recommends that companies clarify the CISO role by making cybersecurity a board-level priority, assessing current security strengths and weaknesses, and evaluating organizational security culture to identify needed CISO skills. Taking these steps will help companies define CISO job requirements and find candidates best suited to their specific cybersecurity needs.
This IBM Redpaper provides a brief overview of OpenStack and a basic familiarity of its usage with the IBM XIV Storage System Gen3. The illustration scenario that is presented uses the OpenStack Folsom release implementation IaaS with Ubuntu Linux servers and the IBM Storage Driver for OpenStack. For more information on IBM Storage Systems, visit http://ibm.co/LIg7gk.
Visit http://bit.ly/KWh5Dx to 'Follow' the official Twitter handle of IBM India Smarter Computing.
Learn how all flash needs end to end Storage efficiency. For more information on IBM FlashSystem, visit http://ibm.co/10KodHl.
Visit http://bit.ly/KWh5Dx to 'Follow' the official Twitter handle of IBM India Smarter Computing.
Learn about vSphere Storage API for Array Integration on the IBM Storwize family. IBM Storwize V7000 Unified combines the block storage capabilities of Storwize V7000 with file storage capabilities into a single system for greater ease of management and efficiency. For more information on IBM Storage Systems, visit http://ibm.co/LIg7gk.
Visit http://bit.ly/KWh5Dx to 'Follow' the official Twitter handle of IBM India Smarter Computing.
Learn about IBM FlashSystem 840 and its complete product specification in this Redbook. FlashSystem 840 provides scalable performance for the most demanding enterprise class applications. IBM FlashSystem 840 accelerates response times with IBM MicroLatency to enable faster decision making. For more information on IBM FlashSystem, visit http://ibm.co/10KodHl.
Visit http://on.fb.me/LT4gdu to 'Like' the official Facebook page of IBM India Smarter Computing.
Learn about the IBM System x3250 M5,.The x3250 M5 offers the following energy-efficiency features to save energy, reduce operational costs, increase energy availability, and contribute to a green environment, energy-efficient planar components help lower operational costs. For more information on System x, visit http://ibm.co/Q7m3iQ.
http://www.scribd.com/doc/210746104/IBM-System-x3250-M5
This Redbook talks about the product specification of IBM NeXtScale nx360 M4. The NeXtScale nx360 M4 server provides a dense, flexible solution with a low total cost of ownership (TCO). The half-wide, dual-socket NeXtScale nx360 M4 server is designed for data centers that require high performance but are constrained by floor space. For more information on System x, visit http://ibm.co/Q7m3iQ.
http://www.scribd.com/doc/210745680/IBM-NeXtScale-nx360-M4
The IBM System x3650 M4 HD is a (1) 2-socket 2U rack-optimized server that supports up to 32 internal drives and features an innovative design for optimal performance, uptime, and dense storage. It offers (2) excellent reliability, availability, and serviceability for improved business environments. The server is (3) designed for easy deployment, integration, service, and management.
Here are the product specification for IBM System x3300 M4. This product can be managed remotely.The x3300 M4 server contains IBM IMM2, which provides advanced service-processor control, monitoring, and an alerting function. The IMM2 lights LEDs to help you diagnose the problem, records the error in the event log, and alerts you to the problem. For more information on System x, visit http://ibm.co/Q7m3iQ.
Visit http://on.fb.me/LT4gdu to 'Like' the official Facebook page of IBM India Smarter Computing.
Learn about IBM System x iDataPlex dx360 M4. IBM System x iDataPlex is an innovative data center solution that maximizes performance and optimizes energy and space efficiency. The iDataPlex solution provides customers with outstanding energy and cooling efficiency, multi-rack level manageability, complete flexibility in configuration, and minimal deployment effort. For more information on System x, visit http://ibm.co/Q7m3iQ.
http://www.scribd.com/doc/210744055/IBM-System-x-iDataPlex-dx360-M4
The IBM System x3500 M4 server provides powerful and scalable performance for business applications in an energy efficient tower or rack design. It features the latest Intel Xeon E5-2600 v2 or E5-2600 processors with up to 24 cores, 768GB RAM, 32 hard drives, and 8 PCIe slots. Comprehensive systems management tools and redundant components help ensure high availability, while its small footprint and 80 Plus Platinum power supplies reduce data center costs.
Learn about system specification for IBM System x3550 M4. The x3550 M4 offers numerous features to boost performance, improve scalability, and reduce costs. Improves productivity by offering superior system performance with up to 12-core processors, up to 30 MB of L3 cache, and up to two 8 GT/s QPI interconnect links. For more information on System x, visit http://ibm.co/Q7m3iQ.
Learn about IBM System x3650 M4. The x3650 M4 is an outstanding 2U two-socket business-critical server, offering improved performance and pay-as-you grow flexibility along with new features that improve server management capability. For more information on System x, visit http://ibm.co/Q7m3iQ.
http://www.scribd.com/doc/210741926/IBM-System-x3650-M4
Learn about the product specification of IBM System x3500 M3. System x3500 M3 has an energy-efficient design which works in conjunction with the IMM to govern fan rotation based on the readings that it delivers. This saves money under normal conditions because the fans do not have to spin at high speed. For more information on System x, visit http://ibm.co/Q7m3iQ.
http://www.scribd.com/doc/210741626/IBM-System-x3500-M3
Learn about IBM System x3400 M3. The x3400 M3 offers numerous features to boost performance and reduce costs, x3400 M3 has the ability to grow with your application requirements with these features. Powerful systems management features simplify local and remote management of the x3400 M3. For more information on System x, visit http://ibm.co/Q7m3iQ.
Visit http://on.fb.me/LT4gdu to 'Like' the official Facebook page of IBM India Smarter Computing.
Learn about IBM System 3250 M3 which is a single-socket server that offers new levels of performance and flexibility
to help you respond quickly to changing business demands. Cost-effective and compact, it is well suited to small to mid-sized businesses, as well as large enterprises. For more information on System x, visit http://ibm.co/Q7m3iQ.
http://www.scribd.com/doc/210740347/IBM-System-x3250-M3
Learn about IBM System x3200 M3 and its specifications. The System x3200 M3 features easy installation and management with a rich set of options for hard disk drives and memory. The efficient design helps to save energy and provide a better work environment with less heat and noise. For more information on System x, visit http://ibm.co/Q7m3iQ.
http://www.scribd.com/doc/210739508/IBM-System-x3200-M3
Learn about the configuration of IBM PowerVC. IBM PowerVC is built on OpenStack that controls large pools of server, storage, and networking resources throughout a data center. IBM Power Virtualization Center provides security services that support a secure environment. Installation requires just 20 minutes to get a virtual machine up and running. For more information on Power Systems, visit http://ibm.co/Lx6hfc.
Visit http://on.fb.me/LT4gdu to 'Like' the official Facebook page of IBM India Smarter Computing.
Learn about Ibm POWER7 Virtualization Performance. PowerVM Lx86 is a cross-platform virtualization solution that enables the running of a wide range of x86 Linux applications on Power Systems platforms within a Linux on Power partition without modifications or recompilation of the workloads. For more information on Power Systems, visit http://ibm.co/Lx6hfc.
http://www.scribd.com/doc/210734237/A-Comparison-of-PowerVM-and-Vmware-Virtualization-Performance
This reference architecture document describes deploying the VMware vCloud Enterprise Suite on the IBM PureFlex System hardware platform. Key points:
- The vCloud Suite software provides components for managing and delivering cloud services, while the IBM PureFlex System provides an integrated hardware platform in a single chassis.
- The reference architecture focuses on installing the vCloud Suite management components as virtual machines on an ESXi host to manage consumer resources.
- The IBM PureFlex System provides servers, networking, and storage in a single chassis that can then be easily scaled out. This standardized deployment accelerates provisioning of cloud infrastructure.
- Deployment considerations cover systems management using IBM Flex System Manager, server, networking, storage configurations
Learn how x6: The sixth generation of EXA Technology is fast, agile and Resilient for Emerging Workloads from Alex Yost. Vice President, IBM PureSystems and System x
IBM Systems and Technology Group. x6 drives cloud and big data for enterprises by achieving insight faster thereby outperforming competitors. For more information on System x, visit http://ibm.co/Q7m3iQ.
http://www.scribd.com/doc/210715795/X6-The-sixth-generation-of-EXA-Technology
1. IBM Center for Applied Insights
Finding a strategic voice
Insights from the 2012 IBM Chief Information Security Officer Assessment
2. To obtain a global snapshot of security leaders’ strategies and
approaches, the IBM Center for Applied Insights conducted
double-blind interviews with 138 security leaders –the IT
and line-of-business executives responsible for information
security in their enterprises. Some of these leaders carried the
title of Chief Information Security Officer (CISO), but given the
diversity of organizational structures, many did not. The Center
supplemented this quantitative research through in-depth
conversations with 25 information security leaders.
Participation spanned a broad range of industries and seven
different countries. Nearly 20 percent of the respondents
lead information security in enterprises with more than
10,000 employees; 55 percent are in enterprises with 1,000
to 9,999 employees.
This study–along with other security and risk management
resources for CIOs and CISOs–is available from ibm.com/
smarter/cai/security.
About
the study
3. IBM Center for Applied Insights 3
“Security leaders are becoming more closely
integrated into the business – and more
independent of information technology.”
– Senior VP of IT, Energy and Utilities3
The changing security landscape:
What we learned
Charged with protecting some of the enterprise’s most
valuable assets–money, customer data, intellectual property
and even its brand–security leaders are under intense
pressure. Our study findings point to major shifts in attitudes
and clear recognition of the strategic importance of
information security:
• Business leaders are increasingly concerned with security
issues. Nearly two-thirds of security leaders say their senior
executives are paying more attention to security today than
they were two years ago, due in large part to media attention.
• Budgets are expected to increase. Two-thirds of security
leaders expect spending on information security to rise
over the next two years. Of those, almost 90 percent antici-
pate double-digit growth. One in ten expects increases of
50 percent or more.
• Attention is shifting toward risk management. In two
years, security leaders expect to be spending more of their
time on reduction of potential future risk, and less on
mitigation of current threats and management of regulatory
and compliance issues.
With explosive growth in connectivity and
collaboration, information security is becoming
increasingly complex and difficult to manage.
Yet, some security organizations are rising to
the challenge. Our research reveals a distinct
pattern of progression–and distinguishing traits
of those that are most confident and capable.
These forward-thinkers are taking a more
proactive, integrated and strategic approach to
security, highlighting models worth emulating
and the emerging business leadership role of
the Chief Information Security Officer (CISO).
In today’s hyper-connected world, information security is
expanding beyond its technical silo into a strategic, enterprise-
wide priority. It takes only a glance at news headlines to see
why. In 2011, the corporate world experienced the second-
highest data loss total since 2004.1
Security leaders are navigating a period of significant change.
IT is no longer confined to the back office or even the enter-
prise. Entire value chains, from suppliers to customers, are
electronically connected and collaborating as never before.
Devices and ways of accessing information are proliferating.
The number of mobile workers is expected to reach 1.3 billion
by 2015. At the same time, mobile security threats are
increasing–up almost 20 percent in 2011.2
It all adds up to
much greater vulnerability.
While many organizations remain in crisis response mode,
some have moved beyond a reactive stance and are taking
steps to reduce future risk. They see themselves as more
mature in their security-related capabilities and better prepared
to meet new threats. What have these enterprises done to
create greater confidence? More importantly, can their actions
show the way forward for others?
4. 4 Finding a strategic voice
“Security leaders are more accountable to the
business now. Their audience is expanding.”
– CIO, Insurance
How prepared are organizations…really?
When security leaders rank themselves on their organizations’
maturity and their ability to handle or avoid a breach, three
types of organizations emerge, as shown in Figure 1:
• Influencers–This group’s members, 25 percent of those
surveyed, see their security organizations as progressive,
ranking themselves highly in both maturity and prepared-
ness. These security leaders have business influence and
authority–a strategic voice in the enterprise.
• Protectors–Comprising almost half of our sample, these
security leaders recognize the importance of information
security as a strategic priority. However, they lack important
measurement insight and the necessary budget authority to
fully transform their enterprises’ security approach.
• Responders–This group remains largely in response mode,
working to protect the enterprise and comply with regulations
and standards but struggling to make strategic headway. They
may not yet have the resources or business influence to drive
significant change.
Knowing that some companies are very confident while others
see gaps raises an important question. What are Influencers
doing differently?
• External threats are the primary security challenge.
Drawing far more attention than internal threats, technology
introduction or regulatory compliance, outside threats top
the list of security concerns.
• Mobile security is a major focus. Given increasingly mobile
workforces and the high rate of wireless device adoption,
more than half of security leaders say mobile security will be
their major technology challenge over the next two years.
Across the board, we saw general agreement on the heightened
importance of information security. And most companies
report having a centralized security function. However,
looking deeper–at the actions, plans and strategies of security
leaders–we found great disparity in how organizations are
actually implementing “centralized” security.
Figure 1: Only one-quarter of security leaders believe their organizations are
mature and have high confidence in their ability to avoid or contain a breach.
Self-assessment of maturity and preparedness
Breachpreparedness
HighSecurity organization maturityLow
HighLow
Influencers 25%
Protectors 47%
Responders 28%
= 5 respondents
5. IBM Center for Applied Insights 5
CIO (30%)
IT VP/Director/Manager (24%)
CFO (18%)
New security
technology (46%)
Updating business
processes (36%)
CIO (32%)
CFO (20%)
CEO (20%)
Employee education (53%)
New security
technology (42%)
Security profiles
Responders
Dedicated CISO
Security/risk committee
Budget line item
Budget authority
Increased leadership attention
Regular board topic
Primary focus over next two years
Standardized metrics
Structure
and management
Organizational reach
Measurement
InfluencersProtectors
26%
26%
27%
50%
22%
26%
42%
52%
45%
68%
58%
43%
CIO (26%)
CEO (26%)
CISO (13%)
Employee education (59%)
Communications/
collaboration (24%)
56%
68%
71%
77%
60%
59%
Figure 2: Influencers are much more likely to have elevated information security to a strategic priority.
What makes Influencers stand out
Interestingly, these three security segments are not skewed
toward certain demographics. The mix of industries, geo-
graphies and enterprise sizes is generally consistent across
all groups. The key differences are found in their information
security profiles–their structure, scope and accountability.
Through an analysis of security leaders’ responses, we
discovered a distinct pattern of evolution among security
organizations (see Figure 2)–and the distinguishing traits
of those that are most advanced.
“Information security leaders will have a
much larger say in the matter; influence and
decision-making power within the company
will grow.”
– IT Division Head, Media and Entertainment
6. 6 Finding a strategic voice
Structure and management
Because their senior management teams recognize the need
for a coordinated approach, organizations in the Influencer
group are more likely to appoint a CISO–a dedicated leader
with a strategic, enterprisewide purview. Influencers also tend
to have a security steering committee headed by a senior
executive, often the CISO. The committee’s main charter is to
evaluate security issues holistically and develop an integrated
enterprise strategy. It is responsible for systemic changes that
span functions, including legal, business operations, finance,
human resources and more.
The vast majority of Influencers benefit from a dedicated
security budget line item supporting their efforts. Across
the full sample, CIOs typically control the information
security budget. However, among Protector and Influencer
organizations, investment authority lies with business leaders
more often. In fact, Influencers say CEOs are just as likely as
CIOs to be steering their information security budgets.
Among Responders, CISOs and steering committees are less
common, which suggests their approach to security is more
tactical and fragmented. The lack of a dedicated budget line
item may force their security organizations to constantly
negotiate for funding or limit the scope of initiatives to specific
functions or silos.
A CISO perspective: Wider view, broader role
By Paul Connelly
Vice President and Chief Information Security Officer, Hospital
Corporation of America
The security leader role is changing because of several
key dynamics. The value and volume of information are
increasing for many companies, threats to that information
are becoming more sophisticated and relentless, and the
impacts of security breakdowns are becoming more costly.
And among business leaders, customers and the public
at large, expectations for the protection of information are
higher than ever.
As a result, security leaders have to focus on innovative
and highly efficient ways to protect company data, and
take a wider view of information protection that extends
beyond just security measures. The priority of–and spend-
ing on–information protection needs to be a business
decision, which may drive change in traditional reporting
structures within IT. Alignment with risk management and
privacy, disaster recovery and business continuity planning,
and physical security offers a clear advantage. It can
potentially eliminate overlap, create synergies and drive
company efficiencies in information protection–enabling
the security leader to become a broader information risk-
management player.
7. IBM Center for Applied Insights 7
Responders are more tactically oriented. They are concen-
trating on foundational building blocks: incorporating new
security technology to close security gaps, redesigning business
processes and hiring new staff. While technology and business
processes are still important to Influencers, they are in the
mode of continuously innovating and improving rather than
establishing basic capabilities.
Across all three groups, mobile security is the top technical
challenge, dominating the agendas of Responders (60 percent)
and Protectors (63 percent). Among Influencers, however,
mobile security is part of an end-to-end strategy. These
Influencers are focused not only on securing mobile access
(33 percent), but also protecting cloud (30 percent) and
database storage (30 percent).
Organizational reach
The Influencers have the attention of business leaders and
their boards. Security is not an ad hoc topic, but rather a
regular part of business discussions and, increasingly, the
culture. These leaders understand the need for more pervasive
risk awareness–and are far more focused on enterprisewide
education, collaboration and communication (see Figure 3).
They are working closely with business functions to create a
culture in which employees take a more proactive role in
protecting the enterprise. Because they are more integrated
with the business, these security organizations are also able to
influence the design of new products and services, incorpor-
ating security considerations early in the process.
Differences in focus over the next two years
Responders Influencers
2x
2x
4x
Improving enterprisewide
communication
and collaboration
Incorporating new
technology to close
current gaps
Providing education
and driving awareness
more
more
more
Figure 3: With foundational security technology and practices in
place, Influencers are turning their attention to people and building a
risk-aware culture.
“Security leaders are going to become more
key to their organizations, their budgets will
increase and they will move from the fringe
to being embedded.”
– Line-of-business Director, Banking
8. 8 Finding a strategic voice
Measurement
Influencers are twice as likely as Responders to track their
progress. Given their intent to build a more risk-aware
culture, these organizations measure user awareness and
educational programs more than Protectors and Responders
do (see Figure 4). And because they are concerned with
broader, more systemic risks, Influencers are also more
likely to assess their ability to deal with future threats and
the integration of new technologies. Generally speaking,
Influencers are not only gaining the attention of business
leaders and working collaboratively across the enterprise;
they are also being held responsible and accountable for
what they do through formal measurements.
“In general, the role of information security
will be moving away from specific risks to
global risks. The role will be much larger
than it used to be.”
– Finance Director, Insurance
Importance of metrics
Responders
Compliance
Risk and ability to deal with future threats
Vulnerability
Education and awareness
Speed of recovery from incidents
Day-to-day security operations
Attacks identified and thwarted
Cost
New technology and innovation efforts
High
Low
InfluencersProtectors
Figure 4: Influencers are more likely to measure progress through a wider variety of metrics and devote more attention to systemic change than the other groups.
9. IBM Center for Applied Insights 9
The case for security leadership
Despite constant threats and a growing range of risks,
some organizations are more confident and capable. Their
approaches highlight the importance of a broader charter for
the security function–and a more strategic role for informa-
tion security leaders. Yet, adopting this more holistic strategy
involves significant change.
Security leaders must assume a business leadership position
and dispel the idea that information security is a technology
support function. Their purview must encompass education
and cultural change, not just security technology and processes.
Leaders will need to reorient their security organizations
around proactive risk management rather than crisis response
and compliance. And the management of information security
must migrate from discrete and fragmented initiatives to an
integrated, systemic approach. Security has to be designed to
protect the entire enterprise, not just pieces of it.
To accomplish these objectives, security leaders should
construct an action plan based on their current capabilities
and most pressing needs. They will also need to gain the
support of the entire C-suite to drive enterprisewide change.
Responders can move beyond their tactical focus by:
• Establishing a dedicated security leadership role
(like a CISO), assembling a security and risk committee,
and measuring progress
• Automating routine security processes to devote more
time and resources to security innovation
Protectors can make security more of a strategic priority by:
• Investing more of their budgets on reducing future risks
• Aligning information security initiatives to broader
enterprise priorities
• Learning from and collaborating with a network of
security peers
A CISO perspective: Why measures matter
By John Meakin
Global Head of Security Solutions & Architecture, Deutsche Bank
Given the dynamic nature of the challenge, measuring
the state of security within an organization is increasingly
important. Since threats are always moving and solutions
are more complex, dynamic and often partial, knowing
where you are is essential. Leading indicators could include
a variety of measures from the number of applications
that have had specific security requirements defined and
tested prior to going live to the speed and completeness
of correcting known vulnerabilities.
As people access information from a wider variety of
locations and devices, protecting it becomes more difficult.
Organizations may need to track servers and end-points
that store higher classifications of information.
Although metrics can be a challenge to define and capture,
that should not deter organizations from implementing
them. Measurement may be imprecise at first but will
improve over time–and the process itself can drive valu-
able insight.
10. 10 Finding a strategic voice
Influencers can continue to innovate and advance their
security approaches by:
• Strengthening communication, education and business
leadership skills to cultivate a more risk-aware culture
• Using insights from metrics and data analysis to identify
high-value improvement areas
The integrated approach, strategic reach and measurement
systems of Influencers point to a new kind of security organiza-
tion and a new breed of leader. These forward-thinking security
leaders can make steady progress because they have authority,
accountability and impact. By following their example, those
who are not as far along can begin to find their strategic voice.
For more information
Visit the IBM Center for Applied Insights information
security website (ibm.com/smarter/cai/security) for additional
insights, including perspectives from IBM’s security leaders.
In addition, you can collaborate with peers from around the
world as part of the IBM Institute for Advanced Security
(instituteforadvancedsecurity.com).
About the authors
David Jarvis is a Senior Consultant at the IBM Center for
Applied Insights where he specializes in fact-based research
on emerging business and technology topics. In addition
to his research responsibilities, David teaches on business
foresight and creative problem solving. He can be reached
at djarvis@us.ibm.com.
Marc van Zadelhoff is the Vice President of Strategy for IBM
Security Systems. In this role, he is responsible for overall
offering management, budget and positioning for IBM’s global
security software and services portfolio. He can be reached at
marc.vanzadelhoff@us.ibm.com.
Jack Danahy is the Director for Advanced Security for
IBM Security Systems. He is a national speaker and writer
on computer network and data security and a distinguished
fellow at the Ponemon Institute. In addition, Jack is a frequent
contributor to industry and governmental security groups
in the areas of data privacy, cybersecurity, cyberthreats
and critical infrastructure protection. He can be reached at
jack.danahy@us.ibm.com.
Contributors
IBM Center for Applied Insights
Angie Casey, Steve Rogers, Kevin Thompson
IBM Market Development & Insights
Subrata Chatterjee, Doron Shiloach, Jill Wynn
Office of the IBM CIO
Sandy Hawke, Kris Lovejoy
IBM Security Systems
Tim Appleby, Tom Turner
11. IBM Center for Applied Insights 11
About the
IBM Center for
Applied Insights
The IBM Center for Applied Insights (ibm.com/smarter/cai/
value) introduces new ways of thinking, working and leading.
Through evidence-based research, the Center arms leaders
with pragmatic guidance and the case for change.