finding a strategic voice - ibm ciso study

© 2012 IBM Corporation

Finding a Strategic Voice

Insights from the 2012 IBM Chief

Information Security Officer

Assessment


IBM Security Services

IBM CISO Scope

Major employee sites

Customer fulfillment

Manufacturing

Employee Service Centers

IBM Research Centers

IBM Internal Data Centers

� 2,000-plus major sites

� 170-plus countries

� 400,000-plus employees

� About 200,000-plus

contractors

One of the largest and most complex internal IT infrastructures in the world

� 800,000-plus traditional endpoints

� About 50 percent of employees

are mobile

+ Strategic 3K Strategic Outsourcing Customers+ Strategic 3K Strategic Outsourcing Customers



CIO or CTO

CFO

CLO

CRO

CSO (aka Chief Information Security Officer)

Risk & Compliance

Policy & Education

Architecture (tools)

Operations

Incident Response

Our customers are just beginning to appoint CISOs

81% of CISO functions are re-

organizing or have been re-organized

within the last 6 months.

Changes include increased scope,

change in reporting line.

Source: Corporate Executive. Board, IREC Study, July 2012



4

� Explores the organizational and leadership

aspects of information security

� Tests if the role of information security

leaders has dramatically changing based on:

– Increasing numbers of security challenges

– More attention from business leaders

� Included senior IT decision-makers across a

broad range of industries

� Respondents included a combination of Large

Enterprise (73%) and Mid-Market (27%)

IBM’s 2012 Chief Information Security Officer Study



Security leaders agree: the security landscape is changing

Nearly two-thirds say

senior executives are

payingmore attentionto security issues.

Two-thirds expect

to spend more on security over the next two years.

External threatsare rated as a bigger challenge than

internal threats, new technology or compliance.

More than one-half say

mobile securityis their greatest near-

term technology concern.



Business leaders are paying more attention to security issues64% say attention from business leadership has increased over the past two years

“We were the victims of a hacker attack and lost a lot of

important information.”

Awareness of threats

via media outlets

Increased external risks (prior experience)

Compliance/regulatory

pressure

Priority of executive

leadership

“Almost every day we hear about other companies receiving

cyber attacks.”

Internal risks

“Internal information, for example, the exchange with colleagues

and customers, lead to an increase in attentiveness.”

“[Due to] the risk of law suits, competitors gaining our info, and

compliance fines.”

“I think the main driver is [that] our corporate headquarters is

focusing on this area and pushing the info to business leadership.”



7

Security leaders see external threats as greatest challenge todayThe emergence of “de-perimiterizing” technologies

69% of respondents ranked external threats as either their #1 or #2 challenge

55% rated mobility issues their primary technology concern over next two years

Primary Security Challenges to Organization

Base sizes: CISO Total = 138

55%

20%

16%

10%

Database storage

Other

Technology Concerns Over Next 2 Years

Mobility

Cloud computing

20%

20%

25%

35%

Regulations and standards

New technologies and

technology trends

Internal threats

External threats



Security leaders are emerging as a key business decision-makersMore strategic leadership roles are now expected in next two years

Higher

importance

“It is going to become more prominent, a Chief Security Officer

who will report to the CEO, not just IT related.”

Wider

responsibility

“More accountable to the business. Their audience is expanding.”

Shifting

priorities “…will work more in the policy field... There will be a continuous

adjustment of policies in order to protect access to information

and the access and transfer of data.”

“…will have a much larger say in the matter…influence and his

decision-making power within the company will grow.”

“In general their role will be moving away from specific risks to

global risks. The role will be much larger than it used to be.”

“The leaders will create new tools to avoid risks.”



Responders Protectors Influencers

• Establishing a dedicated

security leadership role

• Automating routine

security processes

• Primary driver: Crisis

• Aligning security initiatives

to broader enterprise

priorities

• Learning from and

collaborating with a

network of security peers

• Primary driver: Compliance

• Strengthening

communication, education

and business leadership

• Using insights from metrics

and data analysis

• Primary Driver: Risk

Three types of Security Leadership Models

“Security leaders are becoming more closely integrated into the business…

…and more independent of information technology.”



Influencers vs. Responders

more likely to have a dedicated CISO

more likely to have a security or risk committee

more likely to have information security as a board topic

more likely to use standard security metrics to track progress

more likely to be focused on improving enterprise wide

communication and collaboration over the next two years

more likely to focus on providing education and awareness than

implementing new security technology over next two years

2x

2.5x

3x

2x

4x

2x



The CISO action plan…

Innovate and advance security approaches by…• Strengthening communication, education and business

leadership skills to cultivate a more risk-aware culture

• Using insights from metrics and data analysis to identify

high-value improvement areas

Responders

Protectors

Influencers

Move beyond the tactical focus by…•Establishing a dedicated security leadership role

•Assembling a security and risk committee

•Measuring progress

Make security more of a strategic priority by…•Investing more budget on reducing future risks

•Aligning security initiatives with enterprise priorities

•Collaborating and learning with a network of peers