CISOs are getting more pressure from top executives, but also are gaining a greater voice in their companies

An IBM study shows that CISOs are getting more pressure from top executives, but also are gaining a greater voice in their companies.
Senior executives in charge of security are finding their roles changing not only as they deal with the growing rates of data breaches and hacker attacks but also by the increasing interest from CEOs and others in the safety of their companies’ most valuable information, according to a survey from IBM.
As a result, chief information security officers (CISOs) are becoming a more significant presence in corporate boardrooms with a greater input into strategy, and also are shifting more toward risk management than simply reacting to one security incident after another, IBM’s Center for Applied Insights found in its study “Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment.”
In the study, IBM interviewed 130 security executives from around the world. Results from the study were released May 3.
« This data painted a profile of a new class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security, » David Jarvis, author of the report and senior consultant at the IBM Center for Applied Insights, said in a statement. « We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s—from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organizations. »
CISOs are feeling a lot of pressure from above, given that the nature of their jobs means protecting key corporate assets, from money to customer data to intellectual property, according to IBM. Two-thirds of the survey’s respondents said their senior executives, sensitive to the rash of stories about high-profile data breaches and lost data over the past couple of years, are paying more attention to security now than they were two years ago. In addition, two-thirds also said they expect corporate spending on information security to increase over the next two years, with 87 percent of those expecting a double-digit increase.
Mobile security also is becoming a key issue; more than half of the respondents said it will be a primary technology concern over the next two years. Various reports have shown increases in attacks on mobile devices over the past year, as smartphones and tablets become increasingly popular with consumers and businesses alike. According to a report from Juniper Networks in February, malware targeting mobile operating systems jumped 155 percent in 2011 when compared with the previous year, and malware aiming at Google’s Android OS skyrocketed 3,325 percent.
IBM researchers saw several characteristics in the type of CISO they called “influencers”—those who help influence business strategies tend to be more prepared and confident than the “protectors” and “responders.” One characteristic was that the influencer sees security more as a business imperative than a technology one, and these CISOs tend to have the ear of businesses leaders and directors. They are more aware of risks, more collaborative and communicative across the enterprise, and are more forward-thinking—and more likely to have a security steering committee.
Such CISOs and their organizations also are twice as likely to use metrics to monitor progress, and share budgetary responsibilities with C-level security executives—71 percent of such companies had dedicated security budget line items.
« Security in a hyper-connected era presents a new set of challenges, but these can be greatly eased by implementing innovative practices and adopting a more integrated, holistic approach, » Marc van Zadelhoff, an author of the report and vice president of Strategy for IBM Security Systems, said in a statement. « CISOs that prioritize these factors can help their organizations significantly improve business processes and achieve measurable success in their progress toward building a risk-aware culture that is agile and well-equipped to deal with future threats. »