2013 ibm ciso assessment - a new standard for security leaders

© 2013 IBM Corporation

A new standard for security leadersInsights from the 2013 IBM Chief Information Security Officer Assessment

October 2013


There is increasing attention focused on the CISO and calls to transform and broaden the role into something more than simply a protector of the enterprise

2

“Where next for the enterprising CISO?”, David Lacey's IT Security Blog, ComputerWeekly.com, July 13, 2013, LINK

“A CISO's Guide to Communicating with the Board”, Kyle Flaherty, 21CT, July 1, 2013, LINK

“Being great: Five critical CISO traits”, Joe Gottlieb, SC Magazine, June 13, 2013, LINK

“CISOs must shape up or ship out, says Forrester”, Warwick Ashford, ComputerWeekly.com, June 11, 2013, LINK

“Smart CISOs… should major on real security management improvements that deliver true business value.”

“It's hard being a CISO… you have a moment in the sun, however short, to demonstrate the overall business value of security in your company and the competitive advantage that provides.”

“…CISOs are not only reducing risk, they are gaining influence over the entire organization and building their value among management and colleagues, and becoming a trusted source for innovation and best practices”

“Chief information security officers will have evolve into corporate information risk managers if they are to survive in the future...”

Introduction


This is causing organizations to ask a number of key questions around information security leadership and critical capabilities

A CEO might ask:

“Is my security team doing enough to protect the value of the enterprise? Do I have the right team and capabilities?”

“Is security just a cost center, or can it help to achieve business objectives and enable innovation?”

A CIO or Chief Information Security Officer might ask:

“How do I compare to other security organizations in my industry?”

“How should I balance my technology investments with policy development and education programs?”

“How do I convince my business leadership that a technology purchase is needed and worthwhile?”

3

Introduction


Different security leader categories and characteristics were defined in the 2012 CISO Assessment – Finding a strategic voice

4

Introduction


Extending the prior work in order to identify better practices we performed in-depth interviews with organizations’ senior-most security leaders

17%Mid-market

83% Large

enterprise

20%IT Director

15% EVP/VP of IT

34% $1M+

27% <$100K

42% C-level/

CISO

39% $100K-$1M

Respondent distributionRespondent distribution

Security budget

Security budget

Organization size

Organization size

RoleRole

5

24%IT Manager

Approach

CountriesU.S., UK, Germany, Japan

IndustriesAerospace and defense, automotive, banking,

chemicals, consumer products, financial markets, healthcare, insurance, media and

entertainment, manufacturing, pharmaceuticals, retail, travel and

transportation, energy and utilities, wholesale


We uncovered a set of key findings and a set of challenges security leaders are struggling with

Key findings ChallengeMore mature security leaders focus on strategy,

policies, education, risks, and business relations

Leaders build trust by communicating in a transparent, frequent, credible way

More work needs to be done to improve information sharing outside the organization

How do I best manage a broad set of concerns from a diverse set of

business stakeholders?

Foundational security technologies are still seen as critically important

Mobile security technology has significant attention and investment

Many are using cloud for security services and are planning increased deployment in the near future

How do I improve mobile security policy

and management – not just deploy the latest technology?

In general, technical and business metrics are still focused on operational issues

Metrics are used more for budget and strategy reasons and less for risk

Progress needs to be made translating security metrics into the language of the business

How do I translate security metrics into the language of the

business to help guide strategy?

6

Overview


“Security is difficult, and security people are unique. They have a different way of looking at things. We try to get away from ‘techno garble,’ which isn’t important to the business. The business needs it in black and white, no theoretical things.” (CTO, Insurance)

BUSINESS PRACTICES


What experienced security leaders say about achieving success in their role

Strong strategy and policy

“What’s important when making security decisions? A strategic vision, risk assessments and prioritizing around security, understanding the impact of new technology, having the ability to differentiate solutions and pick the winners.” (IT Director, Insurance)

Comprehensive risk

management

“Risk assessment information is used to determine our security policy. It decides what, where, when, and how to protect, and the cost of doing that – the cost to the business.” (Head of IT Group, Manufacturing)

Effective business relations

“Getting business support is about selling. You need somebody that has business savvy, but also understands the technology – who can speak business value and understand risk.” (Chief Technology Officer, Insurance)

Concerted communications

efforts

“Effective relationships require lots of communication, providing assistance to business leaders and requesting time in their meetings to communicate importance of security, talk about wins and communicate the risks. You open minds when you have that constant background noise.” (Director of Infrastructure, Utility)

8

Business practices


Business practices challenge: Security leaders have a broad set of concerns to manage from a diverse group of stakeholders

Information security leaders have to protect against threats to brand reputation, operational downtime, compliance

and regulations and financial loss

9

Business practices

What are your C-suite’s

greatest concerns?


“You have to be on the bleeding edge of business technology and consumer technology. BYOD is starting to encompass almost everything. Devices are proliferating. Security leaders have to be smart, be savvy. Think like a user. Think about what users are doing.” (CIO, Finance)

TECHNOLOGY


Foundational security technologies are still seen as critically important

Strategic and more advanced

technologies have generally not

risen to critical importance yet

Security leaders are putting an

emphasis on enterprise identity

and access management (51%)

and network security (39%)

Things like advanced malware

detection and security

intelligence analytics haven’t

risen above foundational

technologies in importance

11

Technology


Despite concerns, many are using cloud for security services and are planning increased deployment in the near future

Three-fourths (76%) of the sample

use some type of cloud security

services

Privacy and security of data in a cloud

environment is the number one

concern (61%)

Most popular cloud services are data

monitoring and audit, federated

identity and access management,

virtual environment protection and

patch management

Planning investment in future

capabilities (application threat

protection)

12

Technology

Cloud security services

17%

24%

32%

37%

39%

39%

24%

10%

5%

15%

20%

Other

Application threat protection

Security information and eventmanagement (SIEM)

Virtual environment protectionand patch management

Federated identity and accessmanagement

Data monitoring and audit

Deployed ‘Most likely’ planned


Mobile security technology has significant attention and investment, but the focus is still on deployment

Mobile has significant attention -

#1 most recently deployed

technology (25% deployed in the

past twelve months)

76% see theft or loss of device or sensitive data on device as a major concern

Mobile capabilities are still evolving and maturing

Many are planning to develop an enterprise strategy for mobile security (39%), thought not many have done so yet (29%)

13

Technology

Mobile security capabilities

15%

29%

39%

56%

61%

76%

78%

15%

39%

27%

22%

17%

7%

10%

71%

32%

34%

22%

22%

17%

12%

Locationawareness

Enterprise strategy

Incident responsepolicy

Containerizationand encryption

Published set ofprinciples

Inventory ofdevices

Managementcapability

Currently investing Planning to develop No plans


Technology challenge: Mobile security technology is top of mind and being deployed, but not everyone is doing all they should with respect to mobile policy and management

Mobile policy and strategy for

personal devices is not widely

deployed or considered

important

Less than 40% have deployed

capabilities around specific

response policies for

personally-owed devices or an

enterprise strategy for BYOD,

Very few consider an enterprise

strategy for BYOD “most

important” (10%)

14

Technology


“We use metrics to continually improve our processes and awareness. They help determine what happens next in order to stay ahead of the game.” (Executive VP of IT, Finance)

MEASUREMENT


Metrics are generally used to guide budgeting and help develop strategy for the organization

In general, technical and business

metrics are still focused on

operational issues

Over 90% track the number of

incidents, lost or stolen records data

or devices and audit and compliance

status

Metrics are used more for budget

reasons – 32% of respondents use

metrics to guide budgeting

Few respondents (12%) are feeding

their business and security metrics

into the risk process

16

Measurement


Measurement challenge: Progress needs to be made translating security metrics into the language of the business

Nearly two-thirds do not translate metrics into financial outputs due to no requirement, lack of resources, and/or

complexity to calculate

More than half don’t combine security metrics with business risk metrics – those that do, it’s typically a line in a broader

risk assessment

“Measuring financial impact is important when we want to implement technology. What is the ROI, the cost avoidance of an incident? We use it to prove that there is value.” (CTO, Insurance)

“Security metrics get combined with customer satisfaction and as part of a broader scope of continuity and business impact analysis. Cybersecurity is integrated into the risk along with other issues.” (Director of IT, Utility)

Measure financial impact Integrate IT and business risk

17

Measurement


Those that have the right combination of practices and who are addressing the challenges are evolving into a more versatile security leader – creating a new standard

18

“Strategic vision… Global consistency… Lots of communication… speak business value, understand risk… minimize the impact… be on the bleeding edge…”

Conclusions

Formalize your role as a CISO

Establish a security strategy

Develop effective business relations

Build trust

Invest in advanced technology when it meets a business need

Fortify your mobile security

Share information

Focus on the overall economic impact of risk

Address concerns around reputational risk and customer satisfaction

Translate and integrate metrics


The path to a new security standard – Where are you on your journey?

19

Conclusions

Do you have a CISO, or a similar position – a central

security leader with authority?

Have you self-assessed your overall security

capabilities?

Do you understand enterprise risk and

security’s role in it? Are you linked to risk

processes?

Do you have a security strategy that the Board

and C-suite participates in the development of?

Do you have a broad set of metrics (technical, business, risk) that are communicated

widely?

Are you continually reassessing your

capabilities?

Are you exploring advanced technologies?

Are you investing in mobile security technology AND

policy?

Are you actively fostering strong relations and building

trust with key business stakeholders?


For more information

Contact

David JarvisManager, IBM Center for Applied Insights

http://www.ibm.com/ibmcai/ciso

http://www.ibm.com/security/ciso

20

© 2013 IBM Corporation21

© Copyright IBM Corporation 2013

IBM CorporationNew Orchard RoadArmonk, NY 10504

Produced in the United States of America October 2013

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

GTP11058-USEN-00

2013 ibm ciso assessment - a new standard for security leaders

Technology

security organizations

security team

security leadersinsights

security blog

ibm corporation

ciso assessment

business leadership

true business value