Are you an IT security leader - really?

A surprisingly high--unreasonably high, in fact--number of organizations think their security program is part of the vanguard of risk management.

That was one surprising finding of this year's annual Global Information Security Survey, conducted by CSO and CIO magazines in partnership with PricewaterhouseCoopers. More than 9,600 business and technology executives from around the world took the survey, and 43 percent of those surveyed believe their organizations are IT security leaders. The other categories respondents could choose from were strategist, tactician and follower.

Obviously those enterprises, by definition, can't all be at the forefront of security. "Most of these 'leaders,' in my opinion, have a false sense of their level of security," says Mark Lobel, a principal in the advisory services division of PwC.

Ahead of the Bell Curve

In an attempt to identify the organizations that might actually be information security leaders, PwC filtered the results according to conditions it felt would qualify a company to deserve the label.

First, the CISO had to report directly to a senior executive.

Second, the organization had to have an IT security strategy in place and the ability to execute that strategy.

Third, it had to have reviewed its security policy in the past year.

And finally, if the company had suffered a data breach, it had to know the breach's cause.

Under those criteria, less than 5 percent of respondents' organizations actually made the cut.

About half of respondents reported suffering one or more breaches, and a third said they weren't breached in the past year.

About 8 percent couldn't tell whether they had been breached or not. The good news from those figures is that a growing number of companies believe they understand the security events happening on their networks, and know what applications or systems were infiltrated.

However, that confidence doesn't align with the increased sophistication of malware in recent years. "In our engagements and my conversations with peers, we are dealing with more organizations that are grappling with international infiltration," says Shawn Moyer, practice manager of research consulting at Accuvant Labs. (For more on this topic, read Customized, Stealthy Malware Growing Pervasive). "Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere," Moyer says.

"I think there are a lot of executives out there with a false sense of security," says one security manager at a Midwest manufacturing firm.

"In our company, many upper managers simply choose to believe the reports that come in from the different regions. If those reports say that the systems are tight and secure, then that is management's working assumption."

So it seems many organizations are overconfident about their security posture. What attributes, then, does an IT security program need to have to truly be ahead of the pack?

"From a maturity perspective, if you have a senior manager or a junior executive who is designated as a security lead, that's my number-one criterion," says Eric Cowperthwaite, CSO at Providence Health and Services. Before you can consider your organization on the leading edge, "you have to have a security front-person, who's recognized as such in your organization, and is high enough up in the organization to have actual authority," he says. "Number two is to have a strategy, not just a road map for what technologies you are going to deploy, but a strategy for how you are going to secure and protect your systems and data," Cowperthwaite adds, an assessment that largely parallels PwC's definition.

The semantics of titles aren't a major concern. Andy Ellis, CSO at Akamai Technologies, says, "I don't think it matters what title you have. What matters is that you are efficiently reducing your risk according to your organization's business requirements."

That's hard to argue against, but few survey respondents could pass Ellis' litmus test because so few are actually testing their security efforts. Consider this: While 63 percent of respondents have an overall IT security strategy and 85 percent employ a CISO or CSO, half or less of those surveyed are evaluating their efforts. For example, while 63 percent said they have an overall information security strategy, about 40 percent said they've established security baselines for external partners, and only 43 percent have centralized security information management processes.

Similarly low percentages of survey-takers have identity management strategies (41 percent), business continuity or disaster recovery plans (39 percent), or risk-based authentication systems (34 percent).

Business Impact

Companies that don't have a security leader, a strategy, and the ability to execute that strategy and measure their execution are likely to suffer more breaches than others--that seems obvious. But they may also be losing more business.

That's the argument made by Douglas Davidson, president and CEO of security services provider Jacadis. "Clearly, they miss [business] opportunities. We have small businesses that we work with that have been driven to follow a [standards]-based security program by their bigger customers and business partners. They've actually gained revenues because they've created a competitive advantage through the security they put in place," he says.

[Also read another view of the CSO as a value creator | Security provides business services and intelligence]

How can security drive revenue? By using secure processes to gain partner and customer trust, and even to deliver new services to clients. Davidson cites a recent example: "There were several banks that needed the ability to send paper statements for printing, but most of the printers in the area were not able to secure the necessary processes. This one printer was able to build proper security around their services. They then won the banks' business and were able to go out and sell that capability to other customers," Davidson says.

That anecdote shows that IT security isn't a discipline practiced within a business; it's an integral part of the business. "For any significantly sized company, information security is a critical business function because information management is a critical business function," says Cowperthwaite.

Now if only more businesses would act as if IT security is critical to their business--or at least live up to their own mental images of their security efforts.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Akamai TechnologiesAkamai TechnologiesISOPricewaterhouseCoopersPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place