finding a strategic voice - ibm ciso study
DESCRIPTION
Insights from the 2012 IBM Chief Information Security Officer Assessment and the role of the CISOTRANSCRIPT
© 2012 IBM Corporation
Finding a Strategic Voice
Insights from the 2012 IBM Chief
Information Security Officer
Assessment
© 2012 IBM Corporation
IBM Security Services
IBM CISO Scope
Major employee sites
Customer fulfillment
Manufacturing
Employee Service Centers
IBM Research Centers
IBM Internal Data Centers
� 2,000-plus major sites
� 170-plus countries
� 400,000-plus employees
� About 200,000-plus
contractors
One of the largest and most complex internal IT infrastructures in the world
� 800,000-plus traditional endpoints
� About 50 percent of employees
are mobile
+ Strategic 3K Strategic Outsourcing Customers+ Strategic 3K Strategic Outsourcing Customers
© 2012 IBM Corporation
IBM Security Services
CIO or CTO
CFO
CLO
CRO
CSO (aka Chief Information Security Officer)
Risk & Compliance
Policy & Education
Architecture (tools)
Operations
Incident Response
Our customers are just beginning to appoint CISOs
81% of CISO functions are re-
organizing or have been re-organized
within the last 6 months.
Changes include increased scope,
change in reporting line.
Source: Corporate Executive. Board, IREC Study, July 2012
© 2012 IBM Corporation
IBM Security Services
4
� Explores the organizational and leadership
aspects of information security
� Tests if the role of information security
leaders has dramatically changing based on:
– Increasing numbers of security challenges
– More attention from business leaders
� Included senior IT decision-makers across a
broad range of industries
� Respondents included a combination of Large
Enterprise (73%) and Mid-Market (27%)
IBM’s 2012 Chief Information Security Officer Study
© 2012 IBM Corporation
IBM Security Services
Security leaders agree: the security landscape is changing
Nearly two-thirds say
senior executives are
payingmore attentionto security issues.
Two-thirds expect
to spend more on security over the next two years.
External threatsare rated as a bigger challenge than
internal threats, new technology or compliance.
More than one-half say
mobile securityis their greatest near-
term technology concern.
© 2012 IBM Corporation
IBM Security Services
Business leaders are paying more attention to security issues64% say attention from business leadership has increased over the past two years
“We were the victims of a hacker attack and lost a lot of
important information.”
Awareness of threats
via media outlets
Increased external risks (prior experience)
Compliance/regulatory
pressure
Priority of executive
leadership
“Almost every day we hear about other companies receiving
cyber attacks.”
Internal risks
“Internal information, for example, the exchange with colleagues
and customers, lead to an increase in attentiveness.”
“[Due to] the risk of law suits, competitors gaining our info, and
compliance fines.”
“I think the main driver is [that] our corporate headquarters is
focusing on this area and pushing the info to business leadership.”
© 2012 IBM Corporation
IBM Security Services
7
Security leaders see external threats as greatest challenge todayThe emergence of “de-perimiterizing” technologies
69% of respondents ranked external threats as either their #1 or #2 challenge
55% rated mobility issues their primary technology concern over next two years
Primary Security Challenges to Organization
Base sizes: CISO Total = 138
55%
20%
16%
10%
Database storage
Other
Technology Concerns Over Next 2 Years
Mobility
Cloud computing
20%
20%
25%
35%
Regulations and standards
New technologies and
technology trends
Internal threats
External threats
© 2012 IBM Corporation
IBM Security Services
Security leaders are emerging as a key business decision-makersMore strategic leadership roles are now expected in next two years
Higher
importance
“It is going to become more prominent, a Chief Security Officer
who will report to the CEO, not just IT related.”
Wider
responsibility
“More accountable to the business. Their audience is expanding.”
Shifting
priorities “…will work more in the policy field... There will be a continuous
adjustment of policies in order to protect access to information
and the access and transfer of data.”
“…will have a much larger say in the matter…influence and his
decision-making power within the company will grow.”
“In general their role will be moving away from specific risks to
global risks. The role will be much larger than it used to be.”
“The leaders will create new tools to avoid risks.”
© 2012 IBM Corporation
IBM Security Services
Responders Protectors Influencers
• Establishing a dedicated
security leadership role
• Automating routine
security processes
• Primary driver: Crisis
• Aligning security initiatives
to broader enterprise
priorities
• Learning from and
collaborating with a
network of security peers
• Primary driver: Compliance
• Strengthening
communication, education
and business leadership
• Using insights from metrics
and data analysis
• Primary Driver: Risk
Three types of Security Leadership Models
“Security leaders are becoming more closely integrated into the business…
…and more independent of information technology.”
© 2012 IBM Corporation
IBM Security Services
Influencers vs. Responders
more likely to have a dedicated CISO
more likely to have a security or risk committee
more likely to have information security as a board topic
more likely to use standard security metrics to track progress
more likely to be focused on improving enterprise wide
communication and collaboration over the next two years
more likely to focus on providing education and awareness than
implementing new security technology over next two years
2x
2.5x
3x
2x
4x
2x
© 2012 IBM Corporation
IBM Security Services
The CISO action plan…
Innovate and advance security approaches by…• Strengthening communication, education and business
leadership skills to cultivate a more risk-aware culture
• Using insights from metrics and data analysis to identify
high-value improvement areas
Responders
Protectors
Influencers
Move beyond the tactical focus by…•Establishing a dedicated security leadership role
•Assembling a security and risk committee
•Measuring progress
Make security more of a strategic priority by…•Investing more budget on reducing future risks
•Aligning security initiatives with enterprise priorities
•Collaborating and learning with a network of peers
© 2012 IBM Corporation
IBM Security Systems
12 © 2012 IBM Corporation12
Your questions?
© 2012 IBM Corporation
IBM Security Systems
13 © 2012 IBM Corporation13IBM Confidential08/13/12 - v2.7