To answer this intriguing query, the Enterprise Strategy Group (ESG) surveyed 227 North American-based security professionals from organizations with over 1,000 employees. ESG found that 63 percent of these large organizations have CISOs in place, more than twice the percentage of other types of associated "C" level professionals. In mapping quantitative and qualitative data, ESG also found that CISOs tend to:
- Report to IT. Most CISOs report into the CIO, but a fair number remain at a lower level, reporting into someone like a vice president of IT operations. Nevertheless, the position is migrating up the organizational chart in general.
- Come from the networking world. Many CISOs worked their way up through the networking ranks. It is not at all uncommon that the person who is in charge of enterprise security cut their security teeth on Check Point firewalls.
- Act as "jacks-of-all-trades." Security executives are expected to be knowledgeable on all aspects of security technologies, policies, and procedures. CISOs also must dabble in compliance, privacy and IT risk. This is a lot of ground to cover.
The CISO influence
Clearly, the CISO's role and responsibilities are a work in progress, but the data does indicate that the presence of a CISO makes a difference. ESG found that organizations with a CISO in place:
- Dedicate more budget dollars to security protection. ESG asked survey respondents whether their organization would increase security spending in the next 12 months. Twenty-three percent of organizations with CISOs expect to spend "significantly more" while only eight percent of organizations with no CISOs gave the same response. Alternatively, 27 percent of organizations lacking a CISO expect to spend "about the same as today," as compared to 18 percent of those with CISOs in place.
- Focus on security needs across the enterprise. Nearly half of the organizations with CISOs say that they will address security requirements "across the enterprise" over the next 12 months, while another 21 percent will do so "on a business unit basis." Of those firms without CISOs, 37 percent were inclined to address security "across the enterprise," while eight percent said they would do so "on a business unit basis." On the contrary, organizations with no CISO in place were more likely to say they would address security "on an ad-hoc basis" (13 percent of respondents vs. four percent with CISOs). ESG concludes that CISOs are effectively leading their organizations in addressing security on a more holistic basis and are thus better prepared and protected.
- Are most effective with security technology. The good news is that CISOs seem to really help organizations select appropriate technology defenses. Given that CISOs tend to come from the technology world and report into IT, this certainly makes sense. The bad news? CISO-led organizations are marginally more effective with their security policies and procedures than those with no security executives. This data indicates that CISOs still face an uphill challenge. Even those organizations with the foresight to hire a CISO may still be lacking in executive management support, security training and formal IT governance.
What conclusions can be drawn from this data? Organizations employing CISOs seem to be proceeding down a path where information security is addressed as a strategic enterprise issue rather than a tactical IT nuisance. This is a positive trend. Nevertheless, more work needs to be done to include security considerations within business processes and not just enterprise technology add-ons.
As the business value associated with strong security becomes widespread, ESG expects that future CISOs will:
Balance business and technical skills. This trend already occurred with CIOs, so there is no reason why history won't repeat itself. As companies realize that they have to "bake" security into ever-changing business processes — like business process outsourcing, supply chain integration and e-business — the combination of security, technology and business skills will be invaluable.
Be involved in IT governance. Strong security goes hand-in-hand with formal and measurable processes. As more organizations embrace IT governance models like ITIL/ITSM, CoBiT and the NIST- 800 series, it is likely that CISO will play a starring role.
Evolve to focus on IT risk management. While Certified Information Systems Security Professionals (CISSPs) study disaster recovery and system availability, security executives rarely have this function in the real world. This inconsistency will soon be a thing of the past. It is likely that CISOs will be heavily involved in setting and managing IT service levels in the future. CISOs with this responsibility will have to be knowledgeable in system performance, high-availability architectures and DR planning. n
-Jon Oltsik is senior analyst for information security at the Enterprise Strategy Group.
THE BOTTOM LINE:
Business savvy + tech
The ESG data indicates that CISOs add value today and are pointing their companies in the right direction. In an environment of growing attack sophistication and government regulations, this trend will only increase. The CISO of the future will have broader business and IT responsibilities and ultimately report into the chief operations officer or CEO. This is good news for the CISO position, but the job requirements are a mismatch for today's crop of techno-centric security executives. Future CISOs will need a new skill set, combining business savvy and strong technology chops. This will mean that future CISOs will be highly valued executives and likely be in short supply.