Más contenido relacionado
La actualidad más candente (19)
Similar a ciso-platform-annual-summit-2013-ciso assessment exec summary _ibm (20)
Más de Priyanka Aash (20)
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
- 1. Nov 15th 2013
A new standard for security leaders
Insights from the 2013 IBM Chief Information Security Officer Assessment
© 2013 IBM Corporation
- 2. Introduction
There is increasing attention focused on the CISO and calls to transform and
broaden the role into something more than simply a protector of the enterprise
“Smart CISOs… should major on real security management improvements that
deliver true business value.”
“Where next for the enterprising CISO?”, David Lacey's IT Security Blog, ComputerWeekly.com, July 13, 2013, LINK
“It's hard being a CISO… you have a moment in the sun, however short, to
demonstrate the overall business value of security in your company and the
competitive advantage that provides.”
“A CISO's Guide to Communicating with the Board”, Kyle Flaherty, 21CT, July 1, 2013, LINK
“…CISOs are not only reducing risk, they are gaining influence over the entire
organization and building their value among management and colleagues, and
becoming a trusted source for innovation and best practices”
“Being great: Five critical CISO traits”, Joe Gottlieb, SC Magazine, June 13, 2013, LINK
“Chief information security officers will have evolve into corporate information risk
managers if they are to survive in the future...”
“CISOs must shape up or ship out, says Forrester”, Warwick Ashford, ComputerWeekly.com, June 11, 2013, LINK
2
© 2013 IBM Corporation
- 3. Introduction
This is causing organizations to ask a number of key questions around
information security leadership and critical capabilities
A CEO might ask:
“Is my security team doing enough to protect the value
of the enterprise? Do I have the right team and
capabilities?”
“Is security just a cost center, or can it help to achieve
business objectives and enable innovation?”
A CIO or Chief Information Security Officer might ask:
“How do I compare to other security organizations in my
industry?”
“How should I balance my technology investments with
policy development and education programs?”
“How do I convince my business leadership that a
technology purchase is needed and worthwhile?”
3
© 2013 IBM Corporation
- 5. Approach
Extending the prior work in order to identify better practices we performed indepth interviews with organizations’ senior-most security leaders
Respondent distribution
20%
IT Director
24%
IT Manager
39%
$100K-$1M
Role
Security
budget
15% EVP/
VP of IT
42%
C-level/
CISO
17%
Mid-market
Countries
U.S., UK, Germany, Japan
Industries
Aerospace and defense, automotive, banking,
chemicals, consumer products, financial
markets, healthcare, insurance, media and
entertainment, manufacturing,
pharmaceuticals, retail, travel and
transportation, energy and utilities, wholesale
5
34%
$1M+
83%
Large
enterprise
27%
<$100K
Organization
size
© 2013 IBM Corporation
- 6. Overview
We uncovered a set of key findings and a set of challenges security leaders
are struggling with
Key findings
More mature security leaders focus on strategy,
policies, education, risks, and business relations
Leaders build trust by communicating in a
transparent, frequent, credible way
More work needs to be done to improve
information sharing outside the organization
Foundational security technologies are still seen
as critically important
Mobile security technology has significant
attention and investment
Many are using cloud for security services and
are planning increased deployment in the near
future
In general, technical and business metrics are
still focused on operational issues
Metrics are used more for budget and strategy
reasons and less for risk
Progress needs to be made translating security
metrics into the language of the business
6
Challenge
How do I best manage a
broad set of concerns
from a diverse set of
business
stakeholders?
How do I improve
mobile security policy
and management –
not just deploy the
latest technology?
How do I translate
security metrics into
the language of the
business to help guide
strategy?
© 2013 IBM Corporation
- 7. BUSINESS PRACTICES
“Security is difficult, and security people
are unique. They have a different way of
looking at things. We try to get away
from ‘techno garble,’ which isn’t
important to the business. The business
needs it in black and white, no
theoretical things.” (CTO, Insurance)
© 2013 IBM Corporation
- 8. Business practices
What experienced security leaders say about achieving success in their role
Strong strategy
and policy
Comprehensive
risk
management
“Risk assessment information is used to determine our security policy. It
decides what, where, when, and how to protect, and the cost of doing
that – the cost to the business.” (Head of IT Group, Manufacturing)
Effective
business
relations
“Getting business support is about selling. You need somebody that has
business savvy, but also understands the technology – who can speak
business value and understand risk.” (Chief Technology Officer,
Insurance)
Concerted
communications
efforts
8
“What’s important when making security decisions? A strategic vision,
risk assessments and prioritizing around security, understanding the
impact of new technology, having the ability to differentiate solutions and
pick the winners.” (IT Director, Insurance)
“Effective relationships require lots of communication, providing
assistance to business leaders and requesting time in their meetings to
communicate importance of security, talk about wins and communicate
the risks. You open minds when you have that constant background
noise.” (Director of Infrastructure, Utility)
© 2013 IBM Corporation
- 9. Business practices
Business practices challenge: Security leaders have a broad set of concerns to
manage from a diverse group of stakeholders
What are
your C-suite’s
greatest
concerns?
9
Information security
leaders have to protect
against threats to brand
reputation, operational
downtime, compliance
and regulations and
financial loss
© 2013 IBM Corporation
- 10. TECHNOLOGY
“You have to be on the bleeding edge of
business technology and consumer
technology. BYOD is starting to
encompass almost everything. Devices
are proliferating. Security leaders have
to be smart, be savvy. Think like a user.
Think about what users are doing.”
(CIO, Finance)
© 2013 IBM Corporation
- 11. Technology
Foundational security technologies are still seen as critically important
Most important (select top 3)
51%
Strategic and more advanced
39%
technologies have generally not
39%
risen to critical importance yet
37%
Security leaders are putting an
32%
emphasis on enterprise identity
20%
and access management (51%)
20%
and network security (39%)
15%
Things like advanced malware
12%
detection and security
intelligence analytics haven’t
10%
5%
risen above foundational
2%
technologies in importance
2%
0%
11
© 2013 IBM Corporation
- 12. Technology
Despite concerns, many are using cloud for security services and are planning
increased deployment in the near future
Three-fourths (76%) of the sample
use some type of cloud security
services
Privacy and security of data in a cloud
environment is the number one
concern (61%)
Most popular cloud services are data
monitoring and audit, federated
identity and access management,
virtual environment protection and
patch management
Planning investment in future
capabilities (application threat
protection)
12
Cloud security services
Data monitoring and audit
39%
Federated identity and access
management
39%
Virtual environment protection
and patch management
37%
Security information and event
management (SIEM)
Application threat protection
Other
Deployed
32%
24%
20%
15%
5%
10%
24%
17%
‘Most likely’ planned
© 2013 IBM Corporation
- 13. Technology
Mobile security technology has significant attention and investment, but the
focus is still on deployment
Mobile security capabilities
Mobile has significant attention #1 most recently deployed
technology (25% deployed in the
Management
capability
78%
Inventory of
devices
10% 12%
76%
7%
17%
past twelve months)
76% see theft or loss of device or
sensitive data on device as a
major concern
Mobile capabilities are still
evolving and maturing
Many are planning to develop an
enterprise strategy for mobile
security (39%), thought not many
have done so yet (29%)
Published set of
principles
61%
Containerization
and encryption
56%
Incident response
policy
Enterprise strategy
Location
awareness
39%
29%
15%
22%
27%
22%
22%
34%
39%
15%
Currently investing
13
17%
32%
71%
Planning to develop
No plans
© 2013 IBM Corporation
- 14. Technology
Technology challenge: Mobile security technology is top of mind and being deployed,
but not everyone is doing all they should with respect to mobile policy and management
Mobile policy and strategy for
personal devices is not widely
deployed or considered
important
Less than 40% have deployed
capabilities around specific
response policies for
personally-owed devices or an
enterprise strategy for BYOD,
Very few consider an enterprise
strategy for BYOD “most
important” (10%)
14
© 2013 IBM Corporation
- 15. MEASUREMENT
“We use metrics to continually improve
our processes and awareness. They help
determine what happens next in order
to stay ahead of the game.” (Executive
VP of IT, Finance)
© 2013 IBM Corporation
- 16. Measurement
Metrics are generally used to guide budgeting and help develop strategy for
the organization
In general, technical and business
How security and business metrics are used
(multiple responses)
metrics are still focused on
operational issues
Over 90% track the number of
incidents, lost or stolen records data
or devices and audit and compliance
status
Metrics are used more for budget
reasons – 32% of respondents use
metrics to guide budgeting
Few respondents (12%) are feeding
their business and security metrics
into the risk process
16
© 2013 IBM Corporation
- 17. Measurement
Measurement challenge: Progress needs to be made translating security metrics
into the language of the business
Measure financial impact
Integrate IT and business risk
Nearly two-thirds do not translate
metrics into financial outputs due to no
requirement, lack of resources, and/or
complexity to calculate
More than half don’t combine security
metrics with business risk metrics – those
that do, it’s typically a line in a broader
risk assessment
“Measuring financial impact is important
when we want to implement technology.
What is the ROI, the cost avoidance of an
incident? We use it to prove that there is
value.” (CTO, Insurance)
17
“Security metrics get combined with
customer satisfaction and as part of a
broader scope of continuity and business
impact analysis. Cybersecurity is
integrated into the risk along with other
issues.” (Director of IT, Utility)
© 2013 IBM Corporation
- 18. Conclusions
Those that have the right combination of practices and who are addressing the
challenges are evolving into a more versatile security leader – creating a new
standard
Formalize your role as a CISO
Establish a security strategy
Develop effective business relations
Build trust
Invest in advanced technology when it meets a business
need
Fortify your mobile security
Share information
Focus on the overall economic impact of risk
Address concerns around reputational risk and customer
satisfaction
Translate and integrate metrics
“Strategic vision… Global consistency… Lots of communication… speak business value,
understand risk… minimize the impact… be on the bleeding edge…”
18
© 2013 IBM Corporation
- 19. Conclusions
The path to a new security standard – Where are you on your journey?
Do you have a CISO, or a
similar position – a central
security leader with
authority?
Have you self-assessed
your overall security
capabilities?
Are you actively fostering
strong relations and building
trust with key business
stakeholders?
Do you have a security
strategy that the Board
and C-suite participates in
the development of?
Do you understand
enterprise risk and
security’s role in it? Are
you linked to risk
processes?
19
Do you have a broad set of
metrics (technical, business,
risk) that are communicated
widely?
Are you investing in mobile
security technology AND
policy?
Are you continually
reassessing your
capabilities?
Are you exploring advanced
technologies?
© 2013 IBM Corporation
- 20. For more information
Visit us @IBM Stall
http://www.ibm.com/ibmcai/ciso
http://www.ibm.com/security/ciso
20
© 2013 IBM Corporation
- 21. © Copyright IBM Corporation 2013
IBM Corporation
New Orchard Road
Armonk, NY 10504
Produced in the United States of America
October 2013
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corporation in the United States, other countries or both. If these and other IBM
trademarked terms are marked on their first occurrence in this information with a trademark
symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned
by IBM at the time this information was published. Such trademarks may also be registered
or common law trademarks in other countries. Other product, company or service names
may be trademarks or service marks of others. A current list of IBM trademarks is available
on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be changed by IBM at
any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY
WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY
OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the
terms and conditions of the agreements under which they are provided.
GTP11058-USEN-00
21
© 2013 IBM Corporation