An IBM study shows that CISOs are getting more pressure from top executives, but also are gaining a greater voice in their companies.
Senior executives in charge of
security are finding their roles changing not only as they deal with the
growing rates of data breaches and hacker attacks but also by the increasing
interest from CEOs and others in the safety of their companies most valuable
information, according to a survey from IBM.
As a result, chief information
security officers (CISOs) are becoming a more significant presence in corporate
boardrooms with a greater input into strategy, and also are shifting more
toward risk management than simply reacting to one security incident after another,
IBMs Center for Applied Insights found in its study Finding a Strategic
Voice: Insights from the 2012 IBM Chief Information Security Officer
In the study, IBM interviewed 130
security executives from around the world. Results from the study were released
"This data painted a profile of
a new class of CISO leaders who are developing a strategic voice, and paving
the way to a more proactive and integrated stance on information
security," David Jarvis, author of the report and senior consultant at the
IBM Center for Applied Insights, said in a statement. "We see the path of
the CISO is now maturing in a similar pattern to the CFO from the 1970s, the
CIO from the 1980sfrom a technical one to a strategic business enabler. This
demonstrates how integral IT security has become to organizations."
CISOs are feeling a lot of pressure
from above, given that the nature of their jobs means protecting key corporate
assets, from money to customer data to intellectual property, according to IBM.
Two-thirds of the surveys respondents said their senior executives, sensitive
to the rash of stories about high-profile data breaches and lost data over the
past couple of years, are paying more attention to security now than they were
two years ago. In addition, two-thirds also said they expect corporate spending
on information security to increase over the next two years, with 87 percent of
those expecting a double-digit increase.
Mobile security also is becoming a
key issue; more than half of the respondents said it will be a primary
technology concern over the next two years. Various reports have shown
increases in attacks on mobile devices over the past year, as smartphones and
tablets become increasingly popular with consumers and businesses alike. According
to a report from Juniper Networks in February,
malware targeting mobile operating systems jumped 155 percent in 2011 when
compared with the previous year, and malware aiming at Googles Android OS
skyrocketed 3,325 percent.
IBM researchers saw several
characteristics in the type of CISO they called influencersthose who help
influence business strategies tend to be more prepared and confident than the
protectors and responders. One characteristic was that the influencer sees
security more as a business imperative than a technology one, and these CISOs
tend to have the ear of businesses leaders and directors. They are more aware
of risks, more collaborative and communicative across the enterprise, and are
more forward-thinkingand more likely to have a security steering committee.
Such CISOs and their organizations
also are twice as likely to use metrics to monitor progress, and share budgetary
responsibilities with C-level security executives71 percent of such companies
had dedicated security budget line items.
"Security in a hyper-connected
era presents a new set of challenges, but these can be greatly eased by
implementing innovative practices and adopting a more integrated, holistic
approach," Marc van Zadelhoff, an author of the report and vice president
of Strategy for IBM Security Systems, said in a statement. "CISOs that
prioritize these factors can help their organizations significantly improve
business processes and achieve measurable success in their progress toward
building a risk-aware culture that is agile and well-equipped to deal with