© 2014 IBM Corporation

Fortifying for the futureInsights from the 2014 IBM Chief Information Security Officer Assessment

© 2014 IBM Corporation

The CISO Assessments have chronicled critical and emerging issues for security leaders – while also identifying leading practices to pursue

2

2012 2013 2014

Finding a strategic voice

A new standard for security leaders

Fortifying for the future

Established three archetypes for security

leaders – the Responder, the Protector, and the

Influencer – and explored their characteristics.

Identified practical steps for security leaders to reach the position of Influencer – through business practices,

technology, and measurement.

Seeks to define the next stage in the evolution of

security leadership in order to provide

recommendations for the future.

© 2014 IBM Corporation

Countries: US, Canada, UK, Australia, India

Industries: Education, Financial Markets, Healthcare Provider, Retail, Telecommunications, Banking, Consumer Products, Production/Manufacturing, Utilities and Energy, Insurance, Media and Entertainment, Travel and Transportation, Electronics, Aerospace and Defense, Agriculture, Automotive, Chemicals, Wholesale, Biotechnology/Life Sciences

63% of organizations surveyed had a named CISO

To explore the future of security leadership, we performed 138 in-depth interviews with organizations’ senior-most security leaders

3

© 2014 IBM Corporation

For the vast majority of security leaders, the world has dramatically changed in the last three years. Leaders are:

4

© 2014 IBM Corporation

A large majority of organizations have redefined their view of security over the past three years

More influence

90% strongly agree that they have significant influence in their organization

76% say that their degree of influence has significantly increased in the last 3 years

Organizational support

71% strongly agree that they are receiving the organizational support that they need

Strong internal collaboration

82% participate in strategic/C-suite meetings quarterly or more frequently

62% develop their security strategy in conjunction with other strategies (primarily IT, risk, and operations)

5

© 2014 IBM Corporation

The threat is considered so great that many feel like they are losing the fight

83% say that the challenge posed by external threats has increased in the last three years (42% said dramatically)

59% strongly agree that the sophistication of attackers is outstripping the sophistication of their organization’s defenses

40% say that sophisticated external threats are their top current challenge – the number one area overall

6

External threats will require the most organizational effort over the next three to five years – as much as regulations, new technologies, and internal threats combined

© 2014 IBM Corporation7

© 2014 IBM Corporation

To better manage risk, security leaders need to start securing ecosystems, not just their own organizations

8

62% strongly agree that the risk level to their organization is increasing due to the number of interactions and connections with customers, partners, and suppliers

86% think that formal industry-related security organizations will become more necessary in the next 3-5 years – but only 42% are currently members of such organizations today

Security leaders are more likely to share threat information with some parties than others

© 2014 IBM Corporation

New technology is seen as the primary way to minimize gaps, but emerging areas may need a different approach

9

54% can not envision new security technologies that are needed beyond what currently exists

72% strongly agree that real time security intelligence is becoming increasingly important to their organization

86% have adopted cloud or have initiatives in the planning stage – of those, three-fourths see their cloud security budget increasing over the next 3-5 years

Only 45% strongly agree that they have an effective mobile device management approach

© 2014 IBM Corporation10

While some established capabilities are widely seen as mature, other important

areas like mobile and device security need to catch up

© 2014 IBM Corporation

Regulations and standards will continue to be major factors – but there is great uncertainty over exactly how

79% said the challenge from regulations and standards has increased over the past three years

Regulations and standards was the #2 area requiring the most organizational effort to address in the next three to five years (46% put it in their top three)

Given possible scenarios for the future, security leaders were most uncertain about whether governments will handle security governance on a national or global level and how transparent they will be

Only 22% think that a global approach to combating cybercrime will be agreed upon in the next three to five years

11

© 2014 IBM Corporation

There are a number of actions security leaders can take today to begin fortifying their organizations for the future

Enhance education and leadership skillsTechnology skills continue to be important, but pure business skills will take on more importance with security leaders’ growing influence

Shore up cloud, mobile, and data securityLeaders are not waiting for future technology capabilities to solve their problems, they are focused on deploying today’s security technologies to minimize their gaps

Engage in more external collaborationLeaders should make a concerted effort to determine how to build trust and clearly assess the security of their ecosystem

Plan for multiple government scenariosRegular dialogue with chief privacy officers and general counsels is essential for leaders to understand what requirements may arise

12

© 2014 IBM Corporation

For more information

David A. JarvisManager, Thought Leadership, IBM Center for Applied Insights

djarvis@us.ibm.com

www.ibm.com/ibmcai/cisowww.ibm.com/security/ciso

© 2014 IBM Corporation© 2014 IBM Corporation14

© Copyright IBM Corporation 2014

IBM CorporationNew Orchard RoadArmonk, NY 10504

Produced in the United States of America December 2014

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.