Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

2013 IBM CISO Assessment - A new standard for security leaders

2.169 visualizaciones

Publicado el

Publicado en: Tecnología
  • Sé el primero en comentar

2013 IBM CISO Assessment - A new standard for security leaders

  1. 1. October 2013 A new standard for security leaders Insights from the 2013 IBM Chief Information Security Officer Assessment © 2013 IBM Corporation
  2. 2. Introduction There is increasing attention focused on the CISO and calls to transform and broaden the role into something more than simply a protector of the enterprise “Smart CISOs… should major on real security management improvements that deliver true business value.” “Where next for the enterprising CISO?”, David Lacey's IT Security Blog,, July 13, 2013, LINK “It's hard being a CISO… you have a moment in the sun, however short, to demonstrate the overall business value of security in your company and the competitive advantage that provides.” “A CISO's Guide to Communicating with the Board”, Kyle Flaherty, 21CT, July 1, 2013, LINK “…CISOs are not only reducing risk, they are gaining influence over the entire organization and building their value among management and colleagues, and becoming a trusted source for innovation and best practices” “Being great: Five critical CISO traits”, Joe Gottlieb, SC Magazine, June 13, 2013, LINK “Chief information security officers will have evolve into corporate information risk managers if they are to survive in the future...” “CISOs must shape up or ship out, says Forrester”, Warwick Ashford,, June 11, 2013, LINK 2 © 2013 IBM Corporation
  3. 3. Introduction This is causing organizations to ask a number of key questions around information security leadership and critical capabilities A CEO might ask:  “Is my security team doing enough to protect the value of the enterprise? Do I have the right team and capabilities?”  “Is security just a cost center, or can it help to achieve business objectives and enable innovation?” A CIO or Chief Information Security Officer might ask:  “How do I compare to other security organizations in my industry?”  “How should I balance my technology investments with policy development and education programs?”  “How do I convince my business leadership that a technology purchase is needed and worthwhile?” 3 © 2013 IBM Corporation
  4. 4. Introduction Different security leader categories and characteristics were defined in the 2012 CISO Assessment – Finding a strategic voice 4 © 2013 IBM Corporation
  5. 5. Approach Extending the prior work in order to identify better practices we performed in-depth interviews with organizations’ senior-most security leaders Respondent distribution 20% IT Director 24% IT Manager 39% $100K-$1M Role Security budget 15% EVP/ VP of IT 42% C-level/ CISO 17% Mid-market Countries U.S., UK, Germany, Japan Industries Aerospace and defense, automotive, banking, chemicals, consumer products, financial markets, healthcare, insurance, media and entertainment, manufacturing, pharmaceuticals, retail, travel and transportation, energy and utilities, wholesale 5 34% $1M+ 83% Large enterprise 27% <$100K Organization size © 2013 IBM Corporation
  6. 6. Overview We uncovered a set of key findings and a set of challenges security leaders are struggling with Key findings  More mature security leaders focus on strategy, policies, education, risks, and business relations  Leaders build trust by communicating in a transparent, frequent, credible way  More work needs to be done to improve information sharing outside the organization  Foundational security technologies are still seen as critically important  Mobile security technology has significant attention and investment  Many are using cloud for security services and are planning increased deployment in the near future  In general, technical and business metrics are still focused on operational issues  Metrics are used more for budget and strategy reasons and less for risk  Progress needs to be made translating security metrics into the language of the business 6 Challenge How do I best manage a broad set of concerns from a diverse set of business stakeholders? How do I improve mobile security policy and management – not just deploy the latest technology? How do I translate security metrics into the language of the business to help guide strategy? © 2013 IBM Corporation
  7. 7. BUSINESS PRACTICES “Security is difficult, and security people are unique. They have a different way of looking at things. We try to get away from ‘techno garble,’ which isn’t important to the business. The business needs it in black and white, no theoretical things.” (CTO, Insurance) © 2013 IBM Corporation
  8. 8. Business practices What experienced security leaders say about achieving success in their role Strong strategy and policy Comprehensive risk management “Risk assessment information is used to determine our security policy. It decides what, where, when, and how to protect, and the cost of doing that – the cost to the business.” (Head of IT Group, Manufacturing) Effective business relations “Getting business support is about selling. You need somebody that has business savvy, but also understands the technology – who can speak business value and understand risk.” (Chief Technology Officer, Insurance) Concerted communications efforts 8 “What’s important when making security decisions? A strategic vision, risk assessments and prioritizing around security, understanding the impact of new technology, having the ability to differentiate solutions and pick the winners.” (IT Director, Insurance) “Effective relationships require lots of communication, providing assistance to business leaders and requesting time in their meetings to communicate importance of security, talk about wins and communicate the risks. You open minds when you have that constant background noise.” (Director of Infrastructure, Utility) © 2013 IBM Corporation
  9. 9. Business practices Business practices challenge: Security leaders have a broad set of concerns to manage from a diverse group of stakeholders What are your C-suite’s greatest concerns? 9 Information security leaders have to protect against threats to brand reputation, operational downtime, compliance and regulations and financial loss © 2013 IBM Corporation
  10. 10. TECHNOLOGY “You have to be on the bleeding edge of business technology and consumer technology. BYOD is starting to encompass almost everything. Devices are proliferating. Security leaders have to be smart, be savvy. Think like a user. Think about what users are doing.” (CIO, Finance) © 2013 IBM Corporation
  11. 11. Technology Foundational security technologies are still seen as critically important  Strategic and more advanced technologies have generally not risen to critical importance yet  Security leaders are putting an emphasis on enterprise identity and access management (51%) and network security (39%)  Things like advanced malware detection and security intelligence analytics haven’t risen above foundational technologies in importance 11 © 2013 IBM Corporation
  12. 12. Technology Despite concerns, many are using cloud for security services and are planning increased deployment in the near future  Three-fourths (76%) of the sample use some type of cloud security services  Privacy and security of data in a cloud environment is the number one concern (61%)  Most popular cloud services are data monitoring and audit, federated identity and access management, virtual environment protection and patch management  Planning investment in future capabilities (application threat protection) Cloud security services Data monitoring and audit 39% Federated identity and access management 39% Virtual environment protection and patch management 37% Security information and event management (SIEM) Application threat protection Other Deployed 12 32% 24% 20% 15% 5% 10% 24% 17% ‘Most likely’ planned © 2013 IBM Corporation
  13. 13. Technology Mobile security technology has significant attention and investment, but the focus is still on deployment Mobile security capabilities  Mobile has significant attention #1 most recently deployed technology (25% deployed in the Management capability 78% Inventory of devices 10% 12% 76% 7% 17% past twelve months)  76% see theft or loss of device or sensitive data on device as a major concern  Mobile capabilities are still evolving and maturing  Many are planning to develop an enterprise strategy for mobile security (39%), thought not many have done so yet (29%) Published set of principles 61% Containerization and encryption 56% Incident response policy Enterprise strategy Location awareness 39% 29% 15% 22% 27% 22% 22% 34% 39% 15% Currently investing 13 17% 32% 71% Planning to develop No plans © 2013 IBM Corporation
  14. 14. Technology Technology challenge: Mobile security technology is top of mind and being deployed, but not everyone is doing all they should with respect to mobile policy and management  Mobile policy and strategy for personal devices is not widely deployed or considered important  Less than 40% have deployed capabilities around specific response policies for personally-owed devices or an enterprise strategy for BYOD,  Very few consider an enterprise strategy for BYOD “most important” (10%) 14 © 2013 IBM Corporation
  15. 15. MEASUREMENT “We use metrics to continually improve our processes and awareness. They help determine what happens next in order to stay ahead of the game.” (Executive VP of IT, Finance) © 2013 IBM Corporation
  16. 16. Measurement Metrics are generally used to guide budgeting and help develop strategy for the organization  In general, technical and business metrics are still focused on operational issues  Over 90% track the number of incidents, lost or stolen records data or devices and audit and compliance status  Metrics are used more for budget reasons – 32% of respondents use metrics to guide budgeting  Few respondents (12%) are feeding their business and security metrics into the risk process 16 © 2013 IBM Corporation
  17. 17. Measurement Measurement challenge: Progress needs to be made translating security metrics into the language of the business Measure financial impact Integrate IT and business risk Nearly two-thirds do not translate metrics into financial outputs due to no requirement, lack of resources, and/or complexity to calculate More than half don’t combine security metrics with business risk metrics – those that do, it’s typically a line in a broader risk assessment “Measuring financial impact is important when we want to implement technology. What is the ROI, the cost avoidance of an incident? We use it to prove that there is value.” (CTO, Insurance) 17 “Security metrics get combined with customer satisfaction and as part of a broader scope of continuity and business impact analysis. Cybersecurity is integrated into the risk along with other issues.” (Director of IT, Utility) © 2013 IBM Corporation
  18. 18. Conclusions Those that have the right combination of practices and who are addressing the challenges are evolving into a more versatile security leader – creating a new standard Formalize your role as a CISO Establish a security strategy Develop effective business relations Build trust Invest in advanced technology when it meets a business need Fortify your mobile security Share information Focus on the overall economic impact of risk Address concerns around reputational risk and customer satisfaction Translate and integrate metrics “Strategic vision… Global consistency… Lots of communication… speak business value, understand risk… minimize the impact… be on the bleeding edge…” 18 © 2013 IBM Corporation
  19. 19. Conclusions The path to a new security standard – Where are you on your journey? Do you have a CISO, or a similar position – a central security leader with authority? Have you self-assessed your overall security capabilities? Are you actively fostering strong relations and building trust with key business stakeholders? Do you have a security strategy that the Board and C-suite participates in the development of? Do you understand enterprise risk and security’s role in it? Are you linked to risk processes? 19 Do you have a broad set of metrics (technical, business, risk) that are communicated widely? Are you investing in mobile security technology AND policy? Are you continually reassessing your capabilities? Are you exploring advanced technologies? © 2013 IBM Corporation
  20. 20. For more information Contact David Jarvis Manager, IBM Center for Applied Insights 20 © 2013 IBM Corporation
  21. 21. © Copyright IBM Corporation 2013 IBM Corporation New Orchard Road Armonk, NY 10504 Produced in the United States of America October 2013 IBM, the IBM logo and are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. GTP11058-USEN-00 21 © 2013 IBM Corporation