The Evolution of the Chief Security Officer

Executive Summary

CSO magazine's recent study found that the majority (60%) of companies surveyed have an employee dedicated to IT security. This is a fairly new position for most, with an average of two years and five months experience as head of security. While the security position is a recent addition, in most companies its creation preceded September 11 2001, signalling that IT security was a priority well before the terrorist attacks.

According to the 1,009 executives surveyed, 32% of security experts hold senior-level titles including CIO, CTO, CSO/CISO and vice president. Forty per cent of security experts listed security as their primary and singular responsibility, and 11% indicated that they were also responsible for the company's physical security. Currently, 39% of security heads report directly to the CEO, COO, CFO or other officer, while 26% report to the CIO or top IT executive.

Security executives say that electronic attacks pose the biggest concern for their company, compared to physical attacks or electronic attacks with physical consequences (eg., electronic attack of a nuclear power plant) and that current employees are a greater threat to their company's technology infrastructure than external persons and former employees. Close to one quarter (22%) of companies in our survey already have insurance to cover losses caused by cyber crime.

CSO Research Prediction

While 41% of the survey respondents are directors and managers currently, CSO magazine believes that responsibility for protecting the organisation’s information assets will be elevated to senior level and that the chief security officer title and position will become more prevalent. New privacy and security laws such as the anti-terrorism USA Patriot Act of 2001, and the Foreign Intelligence Surveillance Act will have a direct impact on business, specifically privacy issues and sharing of customer information. Organisations' security will be under greater scrutiny than in the past by regulators, legislators, auditors, business partners and customers. In addition to understanding technology and the business, the head of security must have the ability to team up with both business managers and the CIO to secure the organisation’s assets. Additionally, the head of security must set security policy and communicate the importance of such practices to senior management and the user community alike.

Key Findings

Title and Reporting Structure More than half (60%) of the 1,009 respondents to our survey reported that their company employs a person dedicated to technology. Among the companies that do not have a dedicated security person, the majority (83%) have no plans currently to hire a head of security and 14% plan to hire in 2003 or beyond.

Thirteen per cent of the 1,009 respondents were CIOs, CTOs or vice presidents of technology while 19% had the title of chief security officer, chief information security officer or VP of technology. Forty-one per cent were directors or managers of IT and slightly more than one quarter (27%) held business or military titles. When asked about their job responsibilities, 40% of the security experts surveyed said that security is their primary, singular responsibility. Sixty per cent reported that security was one of their responsibilities.

Approximately one quarter (26%) of those surveyed report directly to the CIO or head of IT and 22% report to a COO/CFO/VP or other officer. Only 17% report to the CEO or president. Fifteen per cent of the survey base report to a director and 15% listed "other."

Years Experience and Background On average, security experts have been in their current job for 2 years and 10 months. More than half (52%) were hired from outside the company while 48% were promoted from within. When asked about previous work experience, respondents most frequently included IT/IT consulting (100%), logistics/engineering/manufacturing (51%), accounting/administration (49%), FBI/Secret Service/military (30%) and security consulting (28%) in their work experience. Security experts included in our survey earn an average of $USUS105,000 annually.

Security Budget Most companies (80%) include security as part of the IT budget, but 20% maintain a separate security budget, according to the 1,009 survey respondents. On average, 9.5% of the overall IT budget is allocated to security and close to half (42%) of security budgets include physical and IT security. Survey respondents reported an average annual IT budget of $US8.4 million.

Security Threats Current employees pose the greatest threat to technology infrastructure, according to 53% of the security experts in our survey. Twenty-eight per cent said that external persons posed the greatest threat. In terms of the kinds of attacks companies were most concerned with, respondents listed electronic attacks (59%) most frequently. The majority (87%) of those surveyed monitor cyber crime attempts and close to one quarter (22%) have insurance for cyber crime losses.

When asked what effects pending security regulations will have on business, respondents were most concerned about a decrease in customer confidence regarding privacy and an inability for corporations to guarantee privacy to their customers and employees. Roughly half of the respondents believe that government, companies and their own company are better prepared to respond to a cyber attack today than before 9/11.

Methodology

CSO magazine's Security Sensor survey was administered online in July 2002. Subscribers to CSO magazine were invited to take the survey. The results shown here are based on the responses of 1,009 security professionals. When asked about title, 37% were senior-level including CIOs, CTOs, CSO/CISO and vice presidents. Forty-five per cent of respondents were director or managers. The margin of error for this study is +/- 3.1%.

In terms of company size, approximately 41% of the survey respondents worked at companies with annual revenue of $US1 billion or greater. Roughly 23% were from companies with annual revenue between $US100 million and $US999.9 million, and 36% listed revenue at less than $US100 million.

Respondents represented a wide range of industries including finance/banking (16%), local, state or federal government (16%), computer-related industries (7%) and telecommunications/electric/gas/transportation industries (6%).

Survey Questions

Does your organisation have a person dedicated to IT security, like a chief security officer?

60%>Yes
40%>No
N =1,009

Which title best describes your level of responsibility?

13%CIO/CTO/VP
19% CSO/CISO/VP Security
41% DirectorManager/IT
27% Business/Miliary/Other
N = 1,009

Which statement best describes your level of responsibility with regards to your organisation’s or division's security:

5% Senior level head of both IT and physical security and security is your primary, singular responsibility
9% Senior level head of IT security and security is your primary and singular responsibility
19% Senior level in charge of IT and security is one of your responsibilities
3% Director level responsible for both IT and physical security and security is your primary, singular responsibility
7% Director level head of IT security and IT security is your primary and singular responsibility
13% Director level within IT and IT security is one of your responsibilities
3% Manager level responsible for both IT and physical security and security is your primary, singular responsibility
13% Manager level within IT and IT security is your primary and singular responsibility
18% Manager level within IT and IT security is one of your responsibilities
11% Other
N = 1,009

To whom do you report directly?

12% Chairman or CEO
4% COO
5% President
5% CFO
3% VP Finance/Administration
11% Other officer or assistant officer
26% CIO or top IS executive
19% IS Director
15% Other
N = 1,009

To whom does your direct manager report to directly?

14% Board of directors
24% Chairman or CEO
4% COO
10% President
6% CFO
4% VP Finance/Administration
7% Other officer or assistant officer
22% CIO or top IS executive
3% IS Director
8%Other
N = 1,009

What range best represents your total annual compensation in 2002 (base salary, bonus, stock options)?

6% Less than $US50,000
23% $US50,000 to $US74,999
28% $US75,000 to $US99,999
18% $US101,000 to $US124,999
12% $US125,000 to $US149,999
5% $US150,000 to $US174,999
3% $US175,000 to $US199,999
2% $US200,000 to $US224,999
1% $US225,000 to $US249,999
1% $US250,000 to $US299,999
1% More than $US300,000
N = 1,009

How long have you held the title of CSO or equivalent head of security title?

37% Less than 1 year
25% Between 1 and 2 years
15% Between 2 and 3 years
7% Between 3 and 4 years
5% Between 4 and 5 years
3% Between 5 and 6 years
1% Between 6 and 7 years
1% Between 7 and 8 years
0% Between 8 and 9 years
2% Between 9 and 10 years
4% More than 10 years
N = 1,009

Years as head of security:

37% Less than 1 year
40% 1 to 3 years
12% 3 to 5 years
11%More than 5 years
N = 1,009

Average years as head of security: 2 years, 5 months

How long have you been in your current position?

27% Less than 1 year
25% Between 1 and 2 years
18% Between 2 and 3 years
8% Between 3 and 4 years
6% Between 4 and 5 years
4% Between 5 and 6 years
3% Between 6 and 7 years
2% Between 7 and 8 years
1% Between 8 and 9 years
1% Between 9 and 10 years
5% More than 10 years
N = 1,009

Were you hired for your current position from outside the company or promoted from within?

52% Hired from outside company
48% Promoted from within company
N = 1,009

In which areas do you have previous work experience? (Check all that apply.)

88% Information technology
48% Information technology consulting
28% Administration
28% Security consulting
27% Engineering
27%Military
21% Accounting/finance
16% Manufacturing/production
9% Logistics
7% Law enforcement
4% Legal (other than law enforcement, ie. lawyer/law office, Attorney General's office)
2% FBI
1% Secret service
21% Other
N = 1,009

Is your company's security budget separate from the IT budget or a line item/part of IT budget?

20% Security budget is separate from IT budget
80% Security budget is included in IT budget
N = 1,009

If your security budget is part of the overall IT budget, please estimate the per cent of your IT budget, including for security products, systems, services and staff, that was allocated to information security in 2002:

% of IT budget 9.5%
Total Number of Responses: 829

What is your organisation’s approximate annual budget for security products, systems services and/or staff?

2% Greater than $US250 million
1% $US100 million to $US249.9 million
1% $US50 million to $US99.9 million
2% $US25 million to $US49.9 million
3% $US10 million to $US24.9 million
5%$US5 million to $US9.9 million
15% $US1 million to $US4.9 million
11%$US500,000 to $US1 million
11% $US250,000 to $US499,999
20% $US100,000 to $US249,999
12% $US50,000 to $US99,999
17% Less than $US50,000
N = 1,009

Does your security budget include physical and IT security?

42% Yes
58% No
N =1,009

When do you anticipate a major cyber attack by a terrorist organisation (ie., al Qaeda) will happen?

6% Never
7% Within next three months
12% Within 3-6 months
30% Within 6 months ­ 1 year
11% More than 1 year
32% Unsure
N = 1,009

Which of the following do you believe are better prepared to respond to and recover from a cyber attack today than on September 11 2001. (Check all that apply.)

52% U.S. Government
51% U.S. businesses
50% Your company
N = 1,009

Who poses the greater threat to your company's technology infrastructure?

53% Current employees
10%Former employees
28% External persons not employed by your organisation
9%Unsure
N =1,009

In general, what kinds of attacks pose the biggest concern for your company?

8% Physical attacks (such as theft of property, etc.)
59% Electronic attacks (such as unauthorised access, virus, etc.)
3% Electronic attacks with physical consequences (eg. attack on electronic control of dam or nuclear power plant)
28% Same level of concern for both physical and electronic attacks
1% Unsure
N = 1,009

What do you believe is the #1 cyber security concern for the nation?

4% Economic: corporate espionage resulting in theft of proprietary data
26% Economic: disruption essential financial services
6% Economic: financial fraud
6% National security: espionage resulting in disclosure of sensitive data
29% National security: disruption of essential public services
9% National security: destruction of essential public services
8% Privacy: Identity theft
1% Privacy: Unauthorised use of credit cards
7% Privacy: Protecting confidential information
2% Other
2% Unsure
N = 1,009

What is the monetary value of losses your company has sustained due to cyber crime in the past year?

29% Zero
26% $US1 to $US99,999
8% $US100,000 to $US499,999
1% $US500,000 to $US999,999
2% $US1 million to $US9.9 million
1% $US10 million to $US99.9 million
0% $US100 million or more
33% Unsure
N = 1,009

Regarding cyber crime, does your company: (Check all that apply.)

87% Monitor attempts
57% Monitor crimes
55% Report crimes
32% Quantify the financial cost of crimes
N = 1,009

Does your company have insurance covering losses caused by cyber crimes?

22% Yes
36% No
42% Unsure
N = 1,009

Within the next 18 months, are you planning to adopt biometrics (ie., retina-scans, fingerprint scans) for any applications at your company?

9% Yes, already adopted biometrics
15% Yes, plan to within next 18 months
33% No, not in next 18 months
32% No, not on our radar at all
11% Unsure
N = 1,009

Do you think technology vendors need to tighten up the security configuration of their products?

95% Yes
2%No
3% Unsure
N = 1,009

Corporate lawyers are facing novel business issues due to new laws (ie., anti-terrorism USA Patriot Act of 2001, Foreign Intelligence Surveillance Act) impacting privacy and the sharing of customer information with the Federal Government. What do you anticipate the potential impact of these new or existing laws will be on your organisation?

29% Inability to guarantee privacy of corporate/customer information
32% Decrease in customer confidence regarding privacy and security of personal information
19% Increase in customer confidence regarding privacy and security of personal information
7% Loss of customers
7% Increase in customers
12% Decline in e-commerce revenues
6% Increase in e-commerce revenues
20% Increase in criminal liability claims/costs
28% Increase in civil liability claims/costs
10% Increase in civil liability claims/costs
18% No impact on organisation
18% Unsure
5% Other
N = 1,009

Join the newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lorraine Cosgrove Ware

Latest Videos

More videos

Blog Posts

Market Place