Senior consultant, IBM Center for Applied Insights
Today, the IBM Center for Applied Insights releases the results of the 2012 IBM Chief Information Security Officer Assessment. This was our first foray into examining the role of information security leaders, and how they are evolving to meet the challenging landscape. While we understand and appreciate the fact that things are difficult on the technical front, we wanted to focus on the organizational and leadership aspects of information security.
- We felt that information security leadership was in the process of undergoing a transformation and wanted to test whether the role was changing based on increasing security challenges and greater attention from business leaders.
- We wanted to identify best practices that could be shared across the industry – and understand if organizations were moving toward a more holistic, risk-based approach to information security.
- We also wanted to know what roles collaboration, innovation and integration are playing in security organizations.
What we discovered was that only 1 in 4 security leaders have made the shift to being recognized as having strategic impact on their enterprise. Based on a self-assessment of their organizational maturity and their ability to handle a security incident, three different types of leaders emerged.
- Influencers (25%) – This group sees their security organizations as progressive, ranking themselves highly in both maturity and preparedness. These security leaders have business influence and authority – a strategic voice in the enterprise.
- Protectors (47%) – These security leaders recognize the importance of information security as a strategic priority. However, they lack important measurement insight and the necessary budget authority to fully transform their enterprises’ security approach.
- Responders (28%) – This group remains largely in response mode, working to protect the enterprise and comply with regulations and standards but struggling to make strategic headway. They may not yet have the resources or business influence to drive significant change.
We also discovered some significant differences between the groups that show how Influencers have developed their strategic voice. Compared to Responders, Influencers are:
- 2x more likely to have a dedicated CISO
- 2.5x more likely to have a security or risk committee
- 3x more likely to have information security as a board topic
- 2x more likely to use a standard set of security metrics to track their progress
- 4x more likely to be focused on improving enterprise-wide communication and collaboration over the next two years
- 2x more likely to be focused on providing education and security awareness over the next two years
This is just the beginning of our conversation around the role of information security leadership and its place within the enterprise. The full report goes into more detail on the security landscape, the different types of leaders and their characteristics, and a way forward for everyone.