2013 ciso assessment exec summary final - ibm · pdf filerisk management “risk...

21
© 2013 IBM Corporation A new standard for security leaders Insights from the 2013 IBM Chief Information Security Officer Assessment October 2013

Upload: dinhtuyen

Post on 06-Feb-2018

216 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

A new standard for security leadersInsights from the 2013 IBM Chief Information Security Officer Assessment

October 2013

Page 2: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

There is increasing attention focused on the CISO and calls to transform and broaden the role into something more than simply a protector of the enterprise

2

“Where next for the enterprising CISO?”, David Lacey's IT Security Blog, ComputerWeekly.com, July 13, 2013, LINK

“A CISO's Guide to Communicating with the Board”, Kyle Flaherty, 21CT, July 1, 2013, LINK

“Being great: Five critical CISO traits”, Joe Gottlieb, SC Magazine, June 13, 2013, LINK

“CISOs must shape up or ship out, says Forrester”, Warwick Ashford, ComputerWeekly.com, June 11, 2013, LINK

“Smart CISOs… should major on real security management improvements that

deliver true business value.”

“It's hard being a CISO… you have a moment in the sun, however short, to

demonstrate the overall business value of security in your company and the

competitive advantage that provides.”

“…CISOs are not only reducing risk, they are gaining influence over the entire organization and building their value among management and colleagues, and

becoming a trusted source for innovation and best practices”

“Chief information security officers will have evolve into corporate information risk managers if they are to survive in the future...”

Introduction

Page 3: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

This is causing organizations to ask a number of key questions around information security leadership and critical capabilities

A CEO might ask:

� “Is my security team doing enough to protect the value

of the enterprise? Do I have the right team and

capabilities?”

� “Is security just a cost center, or can it help to achieve

business objectives and enable innovation?”

A CIO or Chief Information Security Officer might ask:

� “How do I compare to other security organizations in my

industry?”

� “How should I balance my technology investments with

policy development and education programs?”

� “How do I convince my business leadership that a

technology purchase is needed and worthwhile?”

3

Introduction

Page 4: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Different security leader categories and characteristics were defined in the 2012 CISO Assessment – Finding a strategic voice

4

Introduction

Page 5: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Extending the prior work in order to identify better practices we performed in-depth interviews with organizations’ senior-most security leaders

17%Mid-market

83% Large

enterprise

20%IT Director

15% EVP/VP of IT

34% $1M+

27% <$100K

42% C-level/

CISO

39% $100K-$1M

Respondent distribution

Security

budget

Organization

size

Role

5

24%IT Manager

Approach

Countries

U.S., UK, Germany, Japan

IndustriesAerospace and defense, automotive, banking,

chemicals, consumer products, financial

markets, healthcare, insurance, media and

entertainment, manufacturing,

pharmaceuticals, retail, travel and

transportation, energy and utilities, wholesale

Page 6: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

We uncovered a set of key findings and a set of challenges security leaders are struggling with

Key findings Challenge

�More mature security leaders focus on strategy, policies, education, risks, and business relations

�Leaders build trust by communicating in a transparent, frequent, credible way

�More work needs to be done to improve information sharing outside the organization

How do I best manage a broad set of concerns from a diverse set of

business stakeholders?

�Foundational security technologies are still seen as critically important

�Mobile security technology has significant attention and investment

�Many are using cloud for security services and are planning increased deployment in the near future

How do I improve mobile security policy and management – not just deploy the latest

technology?

� In general, technical and business metrics are still focused on operational issues

�Metrics are used more for budget and strategy reasons and less for risk

�Progress needs to be made translating security metrics into the language of the business

How do I translate security metrics into the language of the

business to help guide strategy?

6

Overview

Page 7: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

“Security is difficult, and security people

are unique. They have a different way of

looking at things. We try to get away

from ‘techno garble,’ which isn’t

important to the business. The business

needs it in black and white, no

theoretical things.” (CTO, Insurance)

BUSINESS PRACTICES

Page 8: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

What experienced security leaders say about achieving success in their role

Strong strategy

and policy

“What’s important when making security decisions? A strategic vision,

risk assessments and prioritizing around security, understanding the

impact of new technology, having the ability to differentiate solutions and

pick the winners.” (IT Director, Insurance)

Comprehensive

risk

management

“Risk assessment information is used to determine our security policy. It

decides what, where, when, and how to protect, and the cost of doing

that – the cost to the business.” (Head of IT Group, Manufacturing)

Effective

business

relations

“Getting business support is about selling. You need somebody that has

business savvy, but also understands the technology – who can speak

business value and understand risk.” (Chief Technology Officer, Insurance)

Concerted

communications

efforts

“Effective relationships require lots of communication, providing

assistance to business leaders and requesting time in their meetings to

communicate importance of security, talk about wins and communicate

the risks. You open minds when you have that constant background

noise.” (Director of Infrastructure, Utility)

8

Business practices

Page 9: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Business practices challenge: Security leaders have a broad set of concerns to manage from a diverse group of stakeholders

Information security

leaders have to protect

against threats to brand

reputation, operational

downtime, compliance

and regulations and

financial loss

9

Business practices

What are

your C-suite’s

greatest

concerns?

Page 10: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

“You have to be on the bleeding edge of

business technology and consumer

technology. BYOD is starting to

encompass almost everything. Devices

are proliferating. Security leaders have

to be smart, be savvy. Think like a user.

Think about what users are doing.”

(CIO, Finance)

TECHNOLOGY

Page 11: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Foundational security technologies are still seen as critically important

� Strategic and more advanced

technologies have generally not

risen to critical importance yet

� Security leaders are putting an

emphasis on enterprise identity

and access management (51%)

and network security (39%)

� Things like advanced malware

detection and security

intelligence analytics haven’t

risen above foundational

technologies in importance

11

Technology

Page 12: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Despite concerns, many are using cloud for security services and are planning increased deployment in the near future

� Three-fourths (76%) of the sample

use some type of cloud security

services

� Privacy and security of data in a cloud

environment is the number one

concern (61%)

� Most popular cloud services are data

monitoring and audit, federated

identity and access management,

virtual environment protection and

patch management

� Planning investment in future

capabilities (application threat

protection)

12

Technology

Cloud security services

17%

24%

32%

37%

39%

39%

24%

10%

5%

15%

20%

Other

Application threat protection

Security information and eventmanagement (SIEM)

Virtual environment protection

and patch management

Federated identity and accessmanagement

Data monitoring and audit

Deployed ‘Most likely’ planned

Page 13: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Mobile security technology has significant attention and investment, but the focus is still on deployment

� Mobile has significant attention -

#1 most recently deployed

technology (25% deployed in the

past twelve months)

� 76% see theft or loss of device or

sensitive data on device as a

major concern

� Mobile capabilities are still

evolving and maturing

� Many are planning to develop an

enterprise strategy for mobile

security (39%), thought not many

have done so yet (29%)

13

Technology

Mobile security capabilities

15%

29%

39%

56%

61%

76%

78%

15%

39%

27%

22%

17%

7%

10%

71%

32%

34%

22%

22%

17%

12%

Location

awareness

Enterprise strategy

Incident responsepolicy

Containerizationand encryption

Published set ofprinciples

Inventory ofdevices

Managementcapability

Currently investing Planning to develop No plans

Page 14: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Technology challenge: Mobile security technology is top of mind and being deployed, but not everyone is doing all they should with respect to mobile policy and management

� Mobile policy and strategy for

personal devices is not widely

deployed or considered

important

� Less than 40% have deployed

capabilities around specific

response policies for

personally-owed devices or an

enterprise strategy for BYOD,

� Very few consider an enterprise

strategy for BYOD “most

important” (10%)

14

Technology

Page 15: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

“We use metrics to continually improve

our processes and awareness. They help

determine what happens next in order

to stay ahead of the game.” (Executive

VP of IT, Finance)

MEASUREMENT

Page 16: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Metrics are generally used to guide budgeting and help develop strategy for the organization

� In general, technical and business

metrics are still focused on

operational issues

� Over 90% track the number of

incidents, lost or stolen records data

or devices and audit and compliance

status

� Metrics are used more for budget

reasons – 32% of respondents use

metrics to guide budgeting

� Few respondents (12%) are feeding

their business and security metrics

into the risk process

16

Measurement

Page 17: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Measurement challenge: Progress needs to be made translating security metrics into the language of the business

Nearly two-thirds do not translate

metrics into financial outputs due to no

requirement, lack of resources, and/or

complexity to calculate

More than half don’t combine security

metrics with business risk metrics – those

that do, it’s typically a line in a broader

risk assessment

“Measuring financial impact is important

when we want to implement technology.

What is the ROI, the cost avoidance of an

incident? We use it to prove that there is value.” (CTO, Insurance)

“Security metrics get combined with

customer satisfaction and as part of a

broader scope of continuity and business

impact analysis. Cybersecurity is integrated into the risk along with other issues.” (Director of IT, Utility)

Measure financial impact Integrate IT and business risk

17

Measurement

Page 18: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

Those that have the right combination of practices and who are addressing the challenges are evolving into a more versatile security leader – creating a new standard

18

“Strategic vision… Global consistency… Lots of communication… speak business value, understand risk… minimize the impact… be on the bleeding edge…”

Conclusions

Formalize your role as a CISO

Establish a security strategy

Develop effective business relations

Build trust

Invest in advanced technology when it meets a business

need

Fortify your mobile security

Share information

Focus on the overall economic impact of risk

Address concerns around reputational risk and customer

satisfaction

Translate and integrate metrics

Page 19: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

The path to a new security standard – Where are you on your journey?

19

Conclusions

Do you have a CISO, or a similar position – a central

security leader with authority?

Have you self-assessed your overall security

capabilities?

Do you understand enterprise risk and

security’s role in it? Are you linked to risk

processes?

Do you have a security strategy that the Board

and C-suite participates in the development of?

Do you have a broad set of metrics (technical, business, risk) that are communicated

widely?

Are you continually reassessing your

capabilities?

Are you exploring advanced technologies?

Are you investing in mobile security technology AND

policy?

Are you actively fostering strong relations and building

trust with key business stakeholders?

Page 20: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation

For more information

Contact

David JarvisManager, IBM Center for Applied Insights

http://www.ibm.com/ibmcai/ciso

http://www.ibm.com/security/ciso

20

Page 21: 2013 CISO Assessment Exec Summary FINAL - IBM · PDF filerisk management “Risk assessment information is used to determine our security policy. It ... (76%) of the sample use some

© 2013 IBM Corporation21

© Copyright IBM Corporation 2013

IBM CorporationNew Orchard RoadArmonk, NY 10504

Produced in the United States of America October 2013

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

GTP11058-USEN-00