IBM is out with its second annual Chief Information Security Officer (CISO) Assessment study this week, providing visibility into how enterprises are dealing with modern IT security challenges. David Jarvis, manager, IBM Center for Applied Insight and a co-author of the report, told eSecurity Planet that the need for strong strategy and policy in security, especially in emerging areas like BYOD, is critical.

The challenge for CISOs is that each member of the C-suite has a different viewpoint when it comes to security.

"Security leaders have a real challenge meeting different expectations when they are communicating with the C-suite," Jarvis said.


For example, the CEO could worry about loss of customer trust, while the COO is more concerned about operational downtime and the CFO frets about financial loss.

BYOD Policy Lacking

From a technology perspective, the study found that most security leaders focus on foundational technologies like network security as well as identity and access control. Mobile security ranks high on the priority list for CISOs as well, and is a key area for investment.

"A lot of people said they have a mobile management capability and an enterprise strategy for mobile," Jarvis said. "What isn't there yet, is the fact that BYOD and personally-owned device policy isn't in place yet."

Jarvis noted that many of the security leaders that IBM spoke with recognized the mobile BYOD gap and indicated it would be a key area of focus over the next 12 months.

Explaining Security in Business Terms

A key challenge identified by the IBM study is how CISOs can translate security concerns and initiatives into business language.

"Mature security leaders know they have to translate their efforts, but they are having a difficult time establishing a feedback loop with executive management," Jarvis said.

Nearly two-thirds of the CISOs surveyed by IBM do not translate their security metrics into an analysis of financial impact. Going a step further, less than half of CISOs integrate their IT and business risk metrics together.

"That's where we see a gap - translating the operational security metrics that CISOs have into the language of the business so they can communicate with the C-suite and help them to be smarter about making security investments for the enterprise," Jarvis said.

Another key area that IBM asked CISOs about is the usage of managed security services. While the full details on IBM's study in that area are not included in the current CISO study, Jarvis did share some preliminary findings.

"Just a little over half of the folks we interviewed used an external provider for 10 percent or more of their security operations, "Jarvis said. "It's more around improving capabilities and less around cost; they're using external providers to shore up the gaps."

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.