State of the CSO 2012: Ready for anything

The saying goes that in every crisis, there is an opportunity. Compliance requirements, data and privacy demands, and the threat landscape are constantly evolving, forcing companies to realize the importance of security and invest accordingly. As security concerns expand, so does the role of the security leader.

Our annual State of the CSO survey finds a continuation of a two-part trend that we have been tracking for many years: First, there is more awareness of security and risk among companies, and second, in response, many organizations are using more formal enterprise risk management (ERM) programs. These policies, processes, methods, metrics and measurements help shape the strategic decisions for their organization. The goal is to make security strategy both targeted and holistic, proactive and defensive.

The survey gathered responses from 228 security professionals in a broad range of industries. Among those polled, 66 percent say their organization's leadership (that is, the CEO and board of directors) placed more value on risk management in the past year. That's a solid number, even higher than the 61 percent result in 2011.

[Also read The decade of the CSO]

And with that perceived value comes corresponding support, in the form of money and staff. Thirty-two percent of respondents expect to add to their full-time security headcount, and 45 percent expect their organization's overall security budget to increase in the coming year. Another 42 percent think their budget will stay the same; just 11 percent expect it to decrease. (Two percent were not sure.)

While the budget is growing, the prevalence of formal ERM programs is holding steady. The survey found that 56 percent of those polled say their organization now uses a formal ERM process or methodology that incorporates multiple types of risk and that goes beyond just physical and IT security. That's consistent with our findings in the past two years.

The State of the CSO results demonstrating the maturation of the security leader role are mirrored in IT-specific research from Wisegate, a professional network for security executives to share information. Wisegate found that the CISO's role is shifting from "a glorified IT security administrator, babysitting firewalls and cleaning malware from infected systems, to holistic risk management--from firefighting security breaches to anticipating fires before they start."

According to a recent Wisegate member poll, close to 100 percent of participants say they have combined information security and risk management responsibilities. Growing compliance requirements and the general threat landscape were cited as the two primary drivers of their increasing risk management responsibilities.

Philip Agcaoili, CISO with Cox Communications, the third-largest cable operator in the United States, has been a security executive for over a decade. A self-proclaimed "joiner," he says he has been networking with others in security since he became Verisign's first CSO in 1998, and he has since held several CSO positions. He has seen these changes coming for years, he says.

"I think gravity took its course," says Agcaoili. "At the end of the day, no security organization I've been a part of has ever had infinite resources. Risk management was a way to ingest findings or issues, determine the risk to the company, and articulate to the business what the risks were. And it helped us prioritize with the business with what needed to get done."

Formal ERM programs have begun to show up in many organizations. Obviously, the components of these programs vary from place to place, industry to industry. But they all have at least one thing in common: They seek to ensure the success of the organization through "sound, proactive thinking and strategy relative to risk," according to David Sherry, CISO of Brown University.

"By identifying and quantifying the probability and impact of security events, the security mission is supported by language that the board can understand, without relying on fear, uncertainty and doubt," Sherry says.

Dennis Treece, director of corporate security for Massport--the public authority that oversees airports, seaports and many transportation services in Massachusetts--works with many departments and staff within his organization. Leading security for one of the most scrutinized transportation hubs in the world demands a risk strategy that encompasses both physical and digital security.

"To me, ERM implies an all-hazards approach that takes into account everything from utilities infrastructure failure to bad weather, to pandemics, to accidents, to building things on the cheap and poor maintenance, to terrorism," says Treece.

"Also, to me, ERM is collaboration among all the people who understand the risk components the organization faces and who are involved in the risk process, accept risk, or reduce it or transfer it--or any combination of those things."

Consequently, Treece's team comprises a diverse set of individuals. "The insurance broker here is on my team, the internal auditors are on my team, two legal counsel, police and rescue, the operations and facilities staff," Treece noted. "We cannot exist today without them because security is so technology-driven and -dependent."

But working with personnel from various departments is not without its challenges, both for the CSO and for the professionals who come from backgrounds not typically associated with security.

Dave Notch, who was until recently the CISO with business-data provider Thomson Reuters, says he saw the difficulties that can result when bringing in employees from other disciplines and trying to make them all part of one security and risk team. His experience tells him that a one-size-fits-all approach cannot work in many industries.

"One of the most direct examples was when we had discussions about integrating physical and IT security, which, ultimately, we never did," recalled Notch, who was responsible for managing the corporate programs for information security, business continuity, disaster recovery and technology-related audit and compliance activities. "But, I think regardless of which department they are coming from, it's difficult to find people that can cross those boundaries and talk about all areas of risk intelligently."

Brown's Sherry says sometimes the challenge is making headway in a culture that doesn't always understand the issues around risk. Sherry, who has been in IT management for 20 years, first became interested in security during the Y2K scare over a decade ago. In his four years with Brown, he has seen his role become much broader and more focused on risk management and compliance, and it now includes areas such as "records management, copyright law, all kinds of things they throw at me," he says. But while the university increasingly puts value on security and risk management, Sherry still finds it tough at times to make the case for investment.

"The challenge in higher ed is creating relevance for the security mission and the privacy and compliance mission," says Sherry. "It's making sure the university understands the implications of not following best practices and regulatory mandates."

As Sherry's experience shows, selling security has always been difficult. So one of the goals of ERM programs is to give security managers a quantifiable set of metrics that help clarify the case for investing.

"As I have defined it and as I implement it here, I have a risk chart that lists our top 20 risk cases in order of significance to the organization," says Treece. "I use this to then determine what gaps we have between this list and efforts to address those risk cases. Where we need to do more, I use [the chart] to influence the budget process, to reduce or transfer the risks we find to be unacceptable."

[Learn 7 most common risk management blunders]

In order to succeed in ERM-driven environments, CSOs and CISOs agree that security managers need to bone up on business skills--nothing surprising there. Communicating with the executive management team (which is engaged in 86 percent of respondents' ERM programs) takes a new level of business understanding among security pros.

"In the last decade, it's been helpful to have a business discussion using risk terms. And business leaders have gravitated toward it," says Agcaoili. "In security, there is always a new problem, and risk management has allowed me to identify risk based on issues or findings, develop what the risks are, and then prioritize and work with the business to actually invest in that."

"I work with a lot of other CSOs from banks, from universities, from all over," says Treece. "We are all different; we have different cultures and budgets. But we all have the same basic requirements to secure the business defensively in an affordable way. In order for that to happen, security people today need to learn to speak business."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place