A new study from IBM has identified three types of Chief Information Security Officers (CISO) — and all of them are experiencing a change in their organizations as they deal with new and emerging threats.
“The role of the CISO is increasingly being elevated to a more strategic position,” said David Jarvis, author of the report and senior consultant at the IBM Center for Applied Insights, in an interview with eSecurity Planet. “Organizations are addressing security more holistically today; part of that is elevating the CISO role.”
The 2012 IBM Chief Information Security Officer Assessment found that CISOs can be classified as either Influencers, Protectors, or Responders. The Influencer category represented 25 percent of the survey base and has a strategic influence in their respective organizations. Protectors represented 47 percent of the survey base — and while they realize the strategic importance of security, they don’t have full budget authority to change their organizations. The final group is the Responders, representing 28 percent of the survey base; these are the CISOs that seek simply to keep their enterprises in compliance.
The IBM study considers organizations to be more advanced if the CISO is an influencer. At 60 percent of organizations with an Influencer CISO, security is a regular board topic. In contrast, it is only a board topic for 22 percent of organizations with a Responder CISO. Seventy-one percent of companies with Influencer CISOs were also more likely to have a dedicated security budget line item, in contrast to only 27 percent of less advanced organizations.
Across all CISOs, almost two-thirds reported that senior management overall is now paying more attention to security then they did two years ago. Furthermore, two-thirds of CISOs reported that they expect their organizations to spend more on security over the next two years.
CISOs face a number of challenges. From a high-level perspective, the respondents told IBM that they were concerned about external threats, with 69 percent rating it their number one or number two challenge.
“This was more than internal threats, more than incorporating new technologies, and more that regulation and compliance issues,” Jarvis said. “I think that, at the moment, the gaze of security and business leaders is outward with all of the high profile breaches and security incidents.”
From a technology standpoint, key CISO challenges are about securing mobile technologies, whether BYOD of company-provided. Jarvis noted that more than half of respondents cited that as their primary technology concern over the next two years, more than cloud and more than database security.