The CISO Agenda for 2014/2015

Managing Vice-President of Gartner, F. Christian Byrnes closed the Gartner Security and Risk management Summit with a look at what will be on the agenda for the CISOs over the next year.

Gartner has conducted extensive research and, through a survey of 900 businesses with at least 100 employees and revenues of over $50M, they concluded that C-Level executives and Boards are well aware of their obligations when it comes to risk with 85% of companies having a dedicated information security team. And over a third of the respondents have the CISO reporting outside the CIO, reflecting a maturity that shows security risk is not a technical concern but a business-wide one.

A more detailed look at the survey also showed that information security programs had a high degree of organisation and formalisation and that this extended right into the application development lifecycle as well as regulatory compliance and process improvement.

Of the companies with information security programs, nine in ten respondents said that they had a formal data classification process with the vast majority finding this a useful tool in managing information security effectively.

What kind of projects should CISOs be planning for 2014 to 2015? According to the research presented by Byrnes, next-gen firewalls and formal privacy programs topped the list on CISO plans for the next year. In contrast, 10 years ago the priorities were setting up a security program, refreshing the existing firewall and buying an IPS.

Looking at different industries, it's not surprising that Gartner's data, which spanned a broad array of different industry verticals, found that insurance and banking had the greatest maturity when it came to IT security. In contrast, the research showed retail and education lagging.

When it comes to putting their money where their intentions are, just under half of the companies surveyed are looking to increase their budgets on network security, data security, applications security and IT Privacy process management. About half of the respondents expect to maintain the same level of spending on IT security with about 10% expecting to decrease spending.

Although it's clear that the vast majority of business surveyed by Gartner expect to either maintain or increase their security budgets, the number of new staff looks to remain more static with only about a third considering some sort of increase in security staff levels.

Call to action

In closing the Security and Risk Management Summit, Byrne offered up an action plan for attendees.

The immediate tasks for CISO's according to Byrne, was to focus on a subset of priority issues, and drive actions that deliver near-term improvements.

Over the next three months he suggested businesses need to establish a current-state baseline that becomes a foundation for continuous improvement and then assess planned investments and how they compare and align to Gartner's survey analysis.

For the next year the focus should be, in Gartner's view, on communicating the CISO's compelling future vision, to define and communicate realistic and measurable, time-bound goals, and establish tracking systems to check when the goals are achieved.

This should result in CISO further establishing credibility and elevate the image of the security organization.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Data ClassificationGartner's dataIT Privacyestablishing credibilitynetwork securityEnex TestLabsecurity organizationdirectors of CSOGartnerinformation securityChristian Byrnes (MVP Gartner)research2015CISObusinessesCall to actionCSO Australiaemployeessecurity and riskdata securityCSOapplications securityIT SecurityRisk Management Summit

More about CSOEnex TestLabGartnerIPS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place