- Retailers realize that information security needs more attention – 8 of 11 see increased leadership attention from two years ago, and 9 of 11 expect increased budgets over the next two years.
- They are making progress – all of the retail respondents indicated a slight (7 of 11) or a dramatic (4 of 11) improvement in their information security position from two years ago.
- However, they currently don’t have the information security organizational structure to address the changing landscape – only 2 of 11 have a CISO, 2 of 11 have a budget line item, 4 of the 11 have a security or risk committee and 5 of 11 use a standard set of metrics.
- Internal threats and mobility are top concerns – 6 of 11 respondents indicated mobility as their top technology concern. Internal threats were ranked the highest overall security threat with 5 of 11 ranking it #1.
- Retailers will be focused on employee education and using managed services to improve their security situation over the next two years.
IBM Center for Applied Insights
DAVID JARVIS 1000007UE6 email@example.com Tags:  security ciso retail security_leader 1,900 Visits
Special thanks to Geert Van De Putte and Tim Appleby from IBM Software Group for their help with this post.
Like other industries, retail has its own set of unique security challenges. Loss prevention is a significant component of that challenge. The latest National Retail Security Survey stated that in 2011, U.S. retailers lost $34.5 billion to retail theft – combining employee theft, shoplifting, paperwork errors and supplier fraud. That accounted for approximately 1.4 percent of total retail sales last year.
Today, the checkout/point of sale is the nexus for retail security. Here, the four most important flows for a retailer converge – cash, inventory, electronic payments and customer data. All sorts of different security incidents and fraud can happen at this point – self-checkout fraud, shoplifting, counterfeit coupons, employee theft and compliance in theft, and the theft of customer data through compromised equipment.
As the boundaries of retailers extend beyond the traditional brick and mortar of their stores, additional security concerns come into play. There is fraud around online ordering and home shipment, portal security issues for retailer websites, supply chain security associated with contamination, theft and low quality, and even stealing intellectual property (if retailers have their own private labels).
On top of all of this, retailers are also transforming their business with emerging technologies that all have their own unique security challenges. These include new payment technologies like mobile point-of-sale and in-aisle purchasing, e-receipts, RFID and near-field communications, video and social analytics, mobility and multi-channel access and social networking.
All of these are increasing the number of contact points between the customer and the retailer – pushing out the security boundary further and further. Retailers are struggling to create a better, deeper customer experience and, at the same time, mitigate the potential risks to the organization.
The threat landscape and new technologies are creating a need for an integrated security environment. Are retailers up to the task? Are they approaching physical and information security in new, united ways? Is loss prevention being included in more and more technology conversations? Are retailers moving away from being purely reactive?
We gained a bit of insight into this as part of the IBM 2012 CISO Assessment. There were eleven retail respondents from four different countries (France, Germany, Japan and the U.S.). Their answers compared to the overall statistics from the survey shed some light on the issues:
Another statistic that highlights the fact that retailers know the importance of information security but are struggling to address the changing technology environment comes from IBM’s Global Workforce Study. Overall, 49% of respondents stated that they have “completely addressed” their mobile security concern. For retail it was only 22%. However, 73% of retail respondents expect to make significant investments in their mobile environment in the next 1-2 years, signaling they know it is an issue.
Retailers are not only responsible for protecting their own information, but they are under considerable regulatory pressure to make sure they protect customer information as well. They are faced with a diverse array of threats and technologies that are creating new potential vulnerabilities. They need to have the right security organization and capabilities that unites information and physical security, risk, loss prevention and others into a holistic approach. Retailers realize this, but they still have a way to go before they’ll be confident in their capabilities.
Feel free to contribute to the conversation. Are these the right security challenges for retailers? Will it take more than just technology to address them? How do you think they are addressing this important issue today? Do retailers have a harder go at it than other industries because of the nature of their business? Let us know what you think.
DAVID JARVIS 1000007UE6 firstname.lastname@example.org Tags:  security_leader erm information_security ciso security leaders leadership 1,530 Visits
Client Insights, Senior Consultant
Center for Applied Insights
Some things are bad to do by committee, creating a work of art, cooking dinner, closing a baseball game – and sometimes committees are a necessity. Security and risk committees are an essential part of any enterprise’s security and risk management infrastructure. They are a sign of a mature organization. By promoting collaboration across the enterprise and making security and the associated risk discussions an integral part of senior leadership’s responsibilities, the enterprise can be better protected. Yet, even though the benefits are clear, not enough enterprises have one.
A study released last week by the Carnegie Mellon CyLab, looking at privacy and security governance in the Forbes Global 2000, reported that boards and senior leadership still are not exercising appropriate governance over the privacy and security of their digital assets. The study stated that there is still a significant gap in understanding around the fact that security, privacy and IT risk are all a part of enterprise risk management.
The study did note one encouraging sign – that more and more enterprises have cross-functional privacy/security committees – 70% of 2012 respondents versus 17% in 2008. These committees can act as a bridge to boards and senior leadership and elevate the discussion around security and risk, potentially closing the governance gap.
These findings line up very nicely with what we recently uncovered as part of our 2012 CISO Assessment. Overall, only 49% of the total sample reported that they had a security or risk committee. When we delved deeper, 68% of the most mature group of organizations, Influencers, had a security/risk committee. In comparison, only 26% of the least confident and mature group, Responders, had one.
What was interesting was, regardless of the organization’s overall security maturity level, if they had a security or risk committee they shared similar characteristics. In general, leaders of the committees tended to be Senior IT Executives (28%), CISOs (24%) or Senior Business Executives (22%). These committees met on a fairly regular basis, with 48% meeting quarterly and 27% meeting monthly.
The security and risk committees also took a comprehensive, enterprise-wide approach with both business and IT representation. From the business side, the most represented functions included Compliance (80%), Legal (65%), Business Executives (64%), Business Operations (64%), and Finance (59%). From the IT side, IT Executives (91%), IT Operations (72%), Network Operations (60%), and Data Governance (51%) were all a part of a majority of the committees.
Finally, as part of the CISO Assessment we looked at the primary objectives of the security/risk committees. Looking at the chart below we can see that, based on their top two choices, most committees were primarily focused on developing enterprise security strategy and developing action plans and recommendations. So should committees only be focused on strategic policy and governance issues? Is there more they could be doing?
At IBM, our risk management team meets quarterly with a top advisory committee, including senior vice presidents of all the business units, who report directly to the CEO. These include the leaders of many functional areas including finance, marketing, technology and others. Each of these executives must understand the security risks to his or her unit and what controls are in place. Together, they shape and decide strategy. Security, after all, is intimately tied not only to their units, but to the future of the enterprise.
Based on all this information, I think that enterprises are using security and risk committees more and more and they are adopting best practices around the leaders, members, operations, and goals of those committees. To make the next step:
DAVID JARVIS 1000007UE6 email@example.com Tags:  ciso mobile cso risk_management security_leader security 677 Visits
I've had the priviledge of working with IBM's Security Systems and Services teams over the past two years looking at the evolution of security leadership and what security leaders, like the CISO, are going to need to look like in the future. We’ve also looked at leading practices in cybersecurity education and we’ve identified essential security practices for CIOs based on our experiences at IBM.
Have a strategic vision… ensure global consistency in policy… engage in lots of communication with business leaders… speak business value and understand risk… minimize the impact of security to the business… be on the bleeding edge of enterprise and consumer technology...
To learn more and download the full report and other materials visit the IBM Center for Applied Insights and join us in an open discussion about the future for information security leadership.
DAVID JARVIS 1000007UE6 firstname.lastname@example.org Tags:  security_leader leaders security ciso cso information_security risk_management infosec 1,610 Visits
Senior consultant, IBM Center for Applied Insights
It’s easy to say that information security leaders have it tough. The security landscape is full of conflict, confusion and uncertainty, coming from a number of different directions. Leaders have a lot to handle. If it’s not a rapidly shifting threat, it’s new technology platforms to secure including mobile, cloud and social. Almost every article I see these days is focused on the growing challenges, with titles like the “Eye of the storm”, “Into the cloud, out of the fog” and “Converging waves of pain.”
Today, the IBM Center for Applied Insights releases the results of the 2012 IBM Chief Information Security Officer Assessment. This was our first foray into examining the role of information security leaders, and how they are evolving to meet the challenging landscape. While we understand and appreciate the fact that things are difficult on the technical front, we wanted to focus on the organizational and leadership aspects of information security.
What we discovered was that only 1 in 4 security leaders have made the shift to being recognized as having strategic impact on their enterprise. Based on a self-assessment of their organizational maturity and their ability to handle a security incident, three different types of leaders emerged.
We also discovered some significant differences between the groups that show how Influencers have developed their strategic voice. Compared to Responders, Influencers are:
This is just the beginning of our conversation around the role of information security leadership and its place within the enterprise. The full report goes into more detail on the security landscape, the different types of leaders and their characteristics, and a way forward for everyone.
Check out the full report, “Finding a strategic voice” for more information on this important topic. Also, catch our ongoing series of articles on best practices for information security from IBM’s VP of IT Risk on the IBM Center for Applied Insights security site.
DAVID JARVIS 1000007UE6 email@example.com Tags:  mobile kris_lovejoy caleb_barlow ciso it-security security_essentials byod security 1,802 Visits
Growing up, there was a very specific sandwich-making rule laid down by my dad. When making peanut butter and jelly sandwiches, you had to use the peanut butter before the jelly. Was this because of some principle which determined that the resulting sandwich held together better when the ingredients were applied in this order? No. It was because he hated the cross-contamination of jelly into the peanut butter jar which was inevitable when it was on the spreading knife first. He preferred jelly-free sandwiches, you see.
In the realm of mobile and BYOD, you can hardly have a conversation without discussing security. It is a key inhibitor to mobile adoption and one reason companies are looking for managed security solutions rather than simply hoping for the best. Some security leaders argue for keeping personally owned devices out of the enterprise, simply due to the risk potential. Others, accepting that mobile is here to stay, fight to make its use as secure and safe as possible. It's only going to get worse and more and more connected devices enter the enterprise (see this recent Forbes article: "The Next Big Thing In Enterprise IT: Bring Your Own Wearable Tech?")
What stops you from fully adding mobile to your security strategy? Hopefully it is more than just a distaste for jelly in your peanut butter. This October we'll have more to share on mobile adoption challenges when we release this year's follow up to our 2012 CISO Assessment.
DAVID JARVIS 1000007UE6 firstname.lastname@example.org Tags:  ciso security_leader information_security security 1,541 Visits
Client Insights, Senior Consultant
Center for Applied Insights
In 2012 we saw significant data breaches across multiple industries and governments impacting millions of users. Will 2013 bring more of the same? Is this an uncertain future we will have to live with? Can we accept degraded privacy and security and billions of dollars in lost revenue, damage, reduction in brand value and remediation costs?
Last year, a number of major security themes were part of this uncertainty – cloud, mobile, social media, big data, compliance, advanced persistent threats, physical infrastructure security, and the changing nature of information security leadership. None of these issues are going anywhere. In fact, into 2013 and beyond these issues are only going to become more important and will become the concern of more and more enterprise leaders.
All of these disparate issues come together in a new infographic from IBM. It knits together the pressures CEOs are feeling to deliver transformation with limited resources, the changing role of information security leaders, the threat landscape and the best practices to address that landscape. It connects enterprise priorities with information security practices, achieving innovation while dealing with risk.
In 2012, the IBM Center for Applied Insights released a series of security-related pieces that focused on a number of these important issues. We looked at the changing role of the CISO and other security leaders in our 2012 CISO Assessment. We also published a series of best practices for security leaders through our eight article Security Essentials series. In 2013 we will continue to provide insights on information security.
Keeping these ideas, trends and emerging issues in mind, information security leaders must rise to the challenge of creating a future that isn’t like today. By using their best practices to connect with and support enterprise-level goals they can create a better, more secure, future.
To download a copy of the infographic below, click HERE.