May 04, 2012, 7:22 AM — The organizations best-prepared to face today's security threats share a fundamental profile that separates them from organizations trapped in crisis-response mode. That's the finding of the IBM Center for Applied Insights, which recently conducted double-blind interviews of 138 security leaders?chief information security officers (CISOs) and other IT and line-of-business executives responsible for information security in the enterprise?to gain a better understanding of security leaders' strategies and approaches.
Marc van Zadelhoff, vice president of Strategy for IBM Security Systems, says the study led IBM to divide security leaders into three categories based on both the maturity of their organization and its breach preparedness.
The lowest-ranking category, representing 28% of respondents, are Responders. Responders remain trapped in response mode. They work to protect the enterprise and comply with regulations and standards, but van Zadelhoff notes they struggle to make strategic headway and may not yet have the resources or business influence to drive significant change.
The middle category, representing 47% of respondents, are Protectors. Van Zadelhoff says protectors recognize that security is a strategic priority but lack the metrics-driven view and the budget authority to transform their organization's security approach.
The most forward-thinking security leaders are the Influencers, representing 25% of the respondents. Influencers have a strategic voice in the enterprise that comes with both business influence and authority.
IBM explored three broad categories when creating the security profiles: structure and management, organizational reach and measurement.
Structure and Management
One of the most telling characteristics that sets Influencers and Protectors apart from Responders is the presence of a dedicated leader for the security role with a strategic, enterprise-wide purview. Influencer organizations are more likely to appoint a CISO because their senior management recognize the need for a coordinated approach, van Zadelhoff explains.
"A lot of people don't have an officially named CISO," van Zadelhoff says. "About half of the companies in the survey didn't have a single person named into that role, whether in name or in spirit. Companies that have an Influencer in the role versus merely a Responder, the Influencers tend to have a dedicated CISO."
The most progressive security organizations also tend to have a security steering committee headed by a senior executiveÂ?often the CISO-with a charter to evaluate security issues holistically and develop an integrated enterprise strategy. The security/risk committee is responsible for systemic changes that span functions, including legal, business operations, finance, human resources and more. Responders, in particular, often lack a CISO and security steering committee.
IBM says that organizations that lack of a dedicated security leader and security steering committee have a more tactical and fragmented approach to security.
"This is where we see a lot of difference between the CISOs that are succeeding and the ones that are flailing," van Zadelhoff says. "The successful ones are getting the buy?in from non-security executives."
Influencers also tend to have a dedicated security budget line item that supports their efforts. Whether organizations are Responders, Protectors or Influencers, CIOs typically control that budget, but Protectors and Influencers also often give that authority to business leaders instead. Among Influencers, CEOs are just as likely as CIOs to steer the information security budget. van Zadelhoff says a lack of a dedicated budget line item forces security organizations to constantly negotiate for funding or limits the scope of initiatives to specific functions or silos.
Organizational Reach
IBM says the most progressive security organizations also have the attention of business leaders and their boards, not just as ad-hoc topics but as a regular part of business discussions. This gives CISOs the ability to focus their efforts on enterprise-wide education, collaboration and communication.
In fact, while the more tactically oriented Responders are focusing their attention on foundational building blocks-new security technology to close security gaps, redesigning business processes and hiring new staff-Influencers are concentrating on creating a culture in which employees take a more proactive role in protecting the enterprise. And IBM says their greater integration with the business gives them the additional ability to influence the design of new products and services, incorporating security considerations early in the process.
Measurement
0 comments:
Post a Comment