CISOs' Role Becoming More Strategic, But there Are Growing Pains

More mature security leaders meet regularly with their board and C-suite, thereby improving relations
More mature security leaders meet regularly with their board and C-suite, thereby improving relations

However, challenges remain for CISOs in managing the sheer vastness of the modern security landscape with updated practices.

“Today’s experienced CISO is required to be both a technologist and a business leader, with the ability to address board level concerns as well as manage complex technologies,” IBM said in announcing the report. "Every day, new streams of information flow into corporations, powering up-to-the-minute analysis and smarter decisions. Employees, customers and contractors are all connected as never before, across a multitude of technologies. This hyper-connected era is new ground for many organizations. These sprawling and overlapping networks pose daunting security challenges. The complexity is dizzying, the possible points of attack nearly limitless. CIOs and CISOs are grappling with growing frustrations—and questions."

When it comes to new technologies, IBM found that mobile security is the No. 1 “most recently deployed” security technology, with one-quarter of security leaders deploying it in the past 12 months. And although privacy and security in a cloud environment are still concerns, three-fourths (76%) have deployed some type of cloud security services – the most popular being data monitoring and audit, along with federated identity and access management (both at 39%).

While cloud and mobile continue to receive a lot of attention within many organizations, foundational technologies that CISOs are focusing on include identity and access management (51%), network intrusion prevention and vulnerability scanning (39%) and database security (32%).

The primary mobile challenge for security leaders is to advance beyond the initial steps and think less about technology and more about policy and strategy. Echoing other studies, IBM found that less than 40% of organizations have deployed specific response policies for personally owned devices or an enterprise strategy for bring-your-own-device (BYOD). However, this gap is being recognized, and establishing an enterprise strategy for BYOD (39%) and an incident response policy of personally owned devices (27%) are the two top planned areas for development for the next 12 months.

“It’s evident in this study that security leaders need to focus on finding the delicate balance between developing a strong, holistic security and risk management strategy, while implementing more advanced and strategic capabilities – such as mobility and BYOD,” said David Jarvis, author of the report and manager at the IBM Center for Applied Insights, in a statement.

When it comes to business practices, the security leaders interviewed by IBM stressed the need for strong business vision, strategy and policies, comprehensive risk management and effective business relations to be impactful in their roles. Understanding the concerns of their C-suite is also critical. More mature security leaders meet regularly with their board and C-suite, thereby improving relations. When they meet, the top topics that they discuss include identifying and assessing risks (59%), resolving budget issues and requests (49%) and new technology deployments (44%). The challenge for security leaders is to successfully manage the diverse security concerns of the business.

The report also uncovered that when in the measurement and assessment realm, security leaders use metrics mainly to guide budgeting and to make the case for new technology investment. In some cases, they use measurements to help develop strategic priorities for the security organization. In general, however, technical and business metrics are still focused on operational issues.

For example, more than 90% of interviewees track the number of security incidents, lost or stolen records, data or devices, and audit and compliance status – fundamental dimensions you would expect all security leaders to track. Far fewer respondents (12%) are feeding business and security measures into their enterprise risk process even though security leaders say the impact of security on overall enterprise risk is their most important success factor.

What’s Hot on Infosecurity Magazine?