2013 ibm ciso assessment - a new standard for security leaders
TRANSCRIPT
© 2013 IBM Corporation
A new standard for security leadersInsights from the 2013 IBM Chief Information Security Officer Assessment
October 2013
© 2013 IBM Corporation
There is increasing attention focused on the CISO and calls to transform and broaden the role into something more than simply a protector of the enterprise
2
“Where next for the enterprising CISO?”, David Lacey's IT Security Blog, ComputerWeekly.com, July 13, 2013, LINK
“A CISO's Guide to Communicating with the Board”, Kyle Flaherty, 21CT, July 1, 2013, LINK
“Being great: Five critical CISO traits”, Joe Gottlieb, SC Magazine, June 13, 2013, LINK
“CISOs must shape up or ship out, says Forrester”, Warwick Ashford, ComputerWeekly.com, June 11, 2013, LINK
“Smart CISOs… should major on real security management improvements that deliver true business value.”
“It's hard being a CISO… you have a moment in the sun, however short, to demonstrate the overall business value of security in your company and the competitive advantage that provides.”
“…CISOs are not only reducing risk, they are gaining influence over the entire organization and building their value among management and colleagues, and becoming a trusted source for innovation and best practices”
“Chief information security officers will have evolve into corporate information risk managers if they are to survive in the future...”
Introduction
© 2013 IBM Corporation
This is causing organizations to ask a number of key questions around information security leadership and critical capabilities
A CEO might ask:
“Is my security team doing enough to protect the value of the enterprise? Do I have the right team and capabilities?”
“Is security just a cost center, or can it help to achieve business objectives and enable innovation?”
A CIO or Chief Information Security Officer might ask:
“How do I compare to other security organizations in my industry?”
“How should I balance my technology investments with policy development and education programs?”
“How do I convince my business leadership that a technology purchase is needed and worthwhile?”
3
Introduction
© 2013 IBM Corporation
Different security leader categories and characteristics were defined in the 2012 CISO Assessment – Finding a strategic voice
4
Introduction
© 2013 IBM Corporation
Extending the prior work in order to identify better practices we performed in-depth interviews with organizations’ senior-most security leaders
17%Mid-market
83% Large
enterprise
20%IT Director
15% EVP/VP of IT
34% $1M+
27% <$100K
42% C-level/
CISO
39% $100K-$1M
Respondent distributionRespondent distribution
Security budget
Security budget
Organization size
Organization size
RoleRole
5
24%IT Manager
Approach
CountriesU.S., UK, Germany, Japan
IndustriesAerospace and defense, automotive, banking,
chemicals, consumer products, financial markets, healthcare, insurance, media and
entertainment, manufacturing, pharmaceuticals, retail, travel and
transportation, energy and utilities, wholesale
© 2013 IBM Corporation
We uncovered a set of key findings and a set of challenges security leaders are struggling with
Key findings ChallengeMore mature security leaders focus on strategy,
policies, education, risks, and business relations
Leaders build trust by communicating in a transparent, frequent, credible way
More work needs to be done to improve information sharing outside the organization
How do I best manage a broad set of concerns from a diverse set of
business stakeholders?
Foundational security technologies are still seen as critically important
Mobile security technology has significant attention and investment
Many are using cloud for security services and are planning increased deployment in the near future
How do I improve mobile security policy
and management – not just deploy the latest technology?
In general, technical and business metrics are still focused on operational issues
Metrics are used more for budget and strategy reasons and less for risk
Progress needs to be made translating security metrics into the language of the business
How do I translate security metrics into the language of the
business to help guide strategy?
6
Overview
© 2013 IBM Corporation
“Security is difficult, and security people are unique. They have a different way of looking at things. We try to get away from ‘techno garble,’ which isn’t important to the business. The business needs it in black and white, no theoretical things.” (CTO, Insurance)
BUSINESS PRACTICES
© 2013 IBM Corporation
What experienced security leaders say about achieving success in their role
Strong strategy and policy
“What’s important when making security decisions? A strategic vision, risk assessments and prioritizing around security, understanding the impact of new technology, having the ability to differentiate solutions and pick the winners.” (IT Director, Insurance)
Comprehensive risk
management
“Risk assessment information is used to determine our security policy. It decides what, where, when, and how to protect, and the cost of doing that – the cost to the business.” (Head of IT Group, Manufacturing)
Effective business relations
“Getting business support is about selling. You need somebody that has business savvy, but also understands the technology – who can speak business value and understand risk.” (Chief Technology Officer, Insurance)
Concerted communications
efforts
“Effective relationships require lots of communication, providing assistance to business leaders and requesting time in their meetings to communicate importance of security, talk about wins and communicate the risks. You open minds when you have that constant background noise.” (Director of Infrastructure, Utility)
8
Business practices
© 2013 IBM Corporation
Business practices challenge: Security leaders have a broad set of concerns to manage from a diverse group of stakeholders
Information security leaders have to protect against threats to brand reputation, operational downtime, compliance
and regulations and financial loss
9
Business practices
What are your C-suite’s
greatest concerns?
© 2013 IBM Corporation
“You have to be on the bleeding edge of business technology and consumer technology. BYOD is starting to encompass almost everything. Devices are proliferating. Security leaders have to be smart, be savvy. Think like a user. Think about what users are doing.” (CIO, Finance)
TECHNOLOGY
© 2013 IBM Corporation
Foundational security technologies are still seen as critically important
Strategic and more advanced
technologies have generally not
risen to critical importance yet
Security leaders are putting an
emphasis on enterprise identity
and access management (51%)
and network security (39%)
Things like advanced malware
detection and security
intelligence analytics haven’t
risen above foundational
technologies in importance
11
Technology
© 2013 IBM Corporation
Despite concerns, many are using cloud for security services and are planning increased deployment in the near future
Three-fourths (76%) of the sample
use some type of cloud security
services
Privacy and security of data in a cloud
environment is the number one
concern (61%)
Most popular cloud services are data
monitoring and audit, federated
identity and access management,
virtual environment protection and
patch management
Planning investment in future
capabilities (application threat
protection)
12
Technology
Cloud security services
17%
24%
32%
37%
39%
39%
24%
10%
5%
15%
20%
Other
Application threat protection
Security information and eventmanagement (SIEM)
Virtual environment protectionand patch management
Federated identity and accessmanagement
Data monitoring and audit
Deployed ‘Most likely’ planned
© 2013 IBM Corporation
Mobile security technology has significant attention and investment, but the focus is still on deployment
Mobile has significant attention -
#1 most recently deployed
technology (25% deployed in the
past twelve months)
76% see theft or loss of device or sensitive data on device as a major concern
Mobile capabilities are still evolving and maturing
Many are planning to develop an enterprise strategy for mobile security (39%), thought not many have done so yet (29%)
13
Technology
Mobile security capabilities
15%
29%
39%
56%
61%
76%
78%
15%
39%
27%
22%
17%
7%
10%
71%
32%
34%
22%
22%
17%
12%
Locationawareness
Enterprise strategy
Incident responsepolicy
Containerizationand encryption
Published set ofprinciples
Inventory ofdevices
Managementcapability
Currently investing Planning to develop No plans
© 2013 IBM Corporation
Technology challenge: Mobile security technology is top of mind and being deployed, but not everyone is doing all they should with respect to mobile policy and management
Mobile policy and strategy for
personal devices is not widely
deployed or considered
important
Less than 40% have deployed
capabilities around specific
response policies for
personally-owed devices or an
enterprise strategy for BYOD,
Very few consider an enterprise
strategy for BYOD “most
important” (10%)
14
Technology
© 2013 IBM Corporation
“We use metrics to continually improve our processes and awareness. They help determine what happens next in order to stay ahead of the game.” (Executive VP of IT, Finance)
MEASUREMENT
© 2013 IBM Corporation
Metrics are generally used to guide budgeting and help develop strategy for the organization
In general, technical and business
metrics are still focused on
operational issues
Over 90% track the number of
incidents, lost or stolen records data
or devices and audit and compliance
status
Metrics are used more for budget
reasons – 32% of respondents use
metrics to guide budgeting
Few respondents (12%) are feeding
their business and security metrics
into the risk process
16
Measurement
© 2013 IBM Corporation
Measurement challenge: Progress needs to be made translating security metrics into the language of the business
Nearly two-thirds do not translate metrics into financial outputs due to no requirement, lack of resources, and/or
complexity to calculate
More than half don’t combine security metrics with business risk metrics – those that do, it’s typically a line in a broader
risk assessment
“Measuring financial impact is important when we want to implement technology. What is the ROI, the cost avoidance of an incident? We use it to prove that there is value.” (CTO, Insurance)
“Security metrics get combined with customer satisfaction and as part of a broader scope of continuity and business impact analysis. Cybersecurity is integrated into the risk along with other issues.” (Director of IT, Utility)
Measure financial impact Integrate IT and business risk
17
Measurement
© 2013 IBM Corporation
Those that have the right combination of practices and who are addressing the challenges are evolving into a more versatile security leader – creating a new standard
18
“Strategic vision… Global consistency… Lots of communication… speak business value, understand risk… minimize the impact… be on the bleeding edge…”
Conclusions
Formalize your role as a CISO
Establish a security strategy
Develop effective business relations
Build trust
Invest in advanced technology when it meets a business need
Fortify your mobile security
Share information
Focus on the overall economic impact of risk
Address concerns around reputational risk and customer satisfaction
Translate and integrate metrics
© 2013 IBM Corporation
The path to a new security standard – Where are you on your journey?
19
Conclusions
Do you have a CISO, or a similar position – a central
security leader with authority?
Have you self-assessed your overall security
capabilities?
Do you understand enterprise risk and
security’s role in it? Are you linked to risk
processes?
Do you have a security strategy that the Board
and C-suite participates in the development of?
Do you have a broad set of metrics (technical, business, risk) that are communicated
widely?
Are you continually reassessing your
capabilities?
Are you exploring advanced technologies?
Are you investing in mobile security technology AND
policy?
Are you actively fostering strong relations and building
trust with key business stakeholders?
© 2013 IBM Corporation
For more information
Contact
David JarvisManager, IBM Center for Applied Insights
http://www.ibm.com/ibmcai/ciso
http://www.ibm.com/security/ciso
20
© 2013 IBM Corporation21
© Copyright IBM Corporation 2013
IBM CorporationNew Orchard RoadArmonk, NY 10504
Produced in the United States of America October 2013
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
GTP11058-USEN-00