Security is now seen as a vital aspect of business, and the role and influence of the chief information security officer is correspondingly rising, concludes Finding a strategic voice, a new study from IBM. The primary driver, suggests IBM, is that security is now recognised as a business rather than just a technology imperative. “In today’s hyper-connected world,” states the report, “information security is expanding beyond its technical silo into a strategic, enterprise-wide priority,” driven by the increasing number of high profile attacks.
The result is that while “many organizations remain in crisis response mode, some have moved beyond a reactive stance and are taking steps to reduce future risk.” Key to this is that business is beginning to understand what security experts have been saying for years: security is not a thing or a product that can be bought and installed – it is a continuous process at the heart of the business itself. “The Influencers have the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. These leaders understand the need for more pervasive risk awareness.” Influencers have a strategic role on business security.
“Responders,” says the report, “are more tactically oriented. They are concentrating on foundational building blocks: incorporating new security technology to close security gaps, redesigning business processes and hiring new staff. While technology and business processes are still important to Influencers, they are in the mode of continuously innovating and improving rather than establishing basic capabilities.”
In reality, the clear implication here is that business either needs both an influencer and a responder, or that the influencer needs also to be a responder: strategy needs implementation tactics.
But what of the protectors? This is the traditional view of security. Almost half of the report’s respondents take this role, a role that is likely to be the most prevalent in smaller companies. “These security leaders,” says IBM, “recognize the importance of information security as a strategic priority. However, they lack important measurement insight and the necessary budget authority to fully transform their enterprises’ security approach.”
“This data painted a profile of a new class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” said David Jarvis, IBM’s author of the report. “We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organizations.” In short, this IBM study demonstrates that security and the role of the CISO is evolving from a reactive stance to a proactive stance, both within security itself and the wider business – but there is still a long way to go from protector to influencer.