IBM study reveals best practices of information security officers

IBM's freshly released insights from its 2013 IBM Chief Information Security Officer Assessment, show that three areas impact security leaders, namely business practices, technology maturity and measurement capabilities.

The study leverages the know-how from experienced security leaders to outline a set of leading practices to help define the role of the security officer.

Conducted by the IBM Center for Applied Insights, in collaboration with IBM Security Systems and IBM Security Services, the study delved into in-depth interviews with senior leaders who have responsibility for information security in their organisations.

The goal of the interviews was to identify specific organisational practices and behaviours that could strengthen the role and influence of other security leaders. To maintain continuity, interviewees were recruited from the pool of 2012 research participants--80 percent of those recruited were prior participants--with an emphasis on more mature security leaders.

As emerging technologies like cloud adoption and mobile computing present new opportunities to organisations, the risk to data grows. Coupled with sophisticated and advanced threats from attackers, the role of the CISO is becoming more strategic within many organisations. Today's experienced CISO is required to be both a technologist and a business leader, with the ability to address board level concerns as well as manage complex technologies.

To help CISOs better protect their organisation and understand how their roles compare with those of other CISOs, the 2013 IBM CISO Assessment identifies practices and behaviours that can strengthen the role of information security leaders.

This year's study uncovered key findings, leading practices, and a set of shortcomings that even mature security leaders are wrestling with. Looking in depth at three areas--business practices, technology maturity, and measurement capabilities--the study shows a guide for both new and experienced security leaders.

Business practices

The security leaders interviewed stress the need for strong business vision, strategy and policies, comprehensive risk management, and effective business relations to be impactful in their roles. Understanding the concerns of their C-suite is also critical. More mature security leaders meet regularly with their board and C-suite, thereby improving relations.

When they meet, the top topics that they discuss include identifying and assessing risks (59 percent), resolving budget issues and requests (49 percent) and new technology deployments (44 percent). The challenge for security leaders is to successfully manage the diverse security concerns of the business.

Technology maturity

Mobile security is the number one "most recently deployed" security technology, with one-quarter of security leaders deploying it in the past 12 months. Although privacy and security in a cloud environment are still concerns, three-fourths (76 percent) have deployed some type of cloud security services--the most popular being data monitoring and audit, along with federated identity and access management (both at 39 percent).

While cloud and mobile remain important within many organisations, foundational technologies that CISOs are focusing on include identity and access management (51 percent), network intrusion prevention and vulnerability scanning (39 percent) and database security (32 percent).

The primary mobile challenge for security leaders is to advance beyond the initial steps and think less about technology and more about policy and strategy. The report also shows that less than 40 percent of organisations have deployed specific response policies for personally owned devices or an enterprise strategy for bring-your-own-device (BYOD).

However, this gap is being recognised, establishing an enterprise strategy for BYOD (39 percent) and an incident response policy of personally owned devices (27 percent) are the two top planned areas for development for the next 12 months.

Measurement capabilities

Security leaders use metrics mainly to guide budgeting and to make the case for new technology investment. In some cases, they use measurements to help develop strategic priorities for the security organisation. In general, however, technical and business metrics are still focused on operational issues. For example, over 90 percent of interviewees track the number of security incidents, lost or stolen records, data or devices, and audit and compliance status--fundamental dimensions one would expect security leaders to track.

Only 12 percent of respondents are feeding business and security measures into their enterprise risk process even though security leaders say the impact of security on overall enterprise risk is their most important success factor.

"It's evident in this study that security leaders need to focus on finding the delicate balance between developing a strong, holistic security and risk management strategy, while implementing more advanced and strategic capabilities--such as mobility and BYOD," said David Jarvis, author of the report and manager at the IBM Center for Applied Insights.

The full study is available here.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuespersonnelIBMsecurity

More about IBM AustraliaSecurity SystemsTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by T.C. Seow

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place