© 2014 IBM Corporation
Fortifying for the futureInsights from the 2014 IBM Chief Information Security Officer Assessment
December 2014
© 2014 IBM Corporation
The CISO Assessments have chronicled critical and emerging issues for security leaders – while also identifying leading practices to pursue
2
2012 2013 2014
Finding a strategic voice
A new standard for security leaders
Fortifying for the future
Established three archetypes for security
leaders – the Responder, the Protector, and the
Influencer – and explored their characteristics.
Identified practical steps for security leaders to reach the position of Influencer – through business practices,
technology, and measurement.
Seeks to define the next stage in the evolution of
security leadership in order to provide
recommendations for the future.
© 2014 IBM Corporation
Countries: US, Canada, UK, Australia, India
Industries: Education, Financial Markets, Healthcare Provider, Retail, Telecommunications, Banking, Consumer Products, Production/Manufacturing, Utilities and Energy, Insurance, Media and Entertainment, Travel and Transportation, Electronics, Aerospace and Defense, Agriculture, Automotive, Chemicals, Wholesale, Biotechnology/Life Sciences
63% of organizations surveyed had a named CISO
To explore the future of security leadership, we performed 138 in-depth interviews with organizations’ senior-most security leaders
3
© 2014 IBM Corporation
For the vast majority of security leaders, the world has dramatically changed in the last three years. Leaders are:
4
© 2014 IBM Corporation
A large majority of organizations have redefined their view of security over the past three years
More influence
90% strongly agree that they have significant influence in their organization
76% say that their degree of influence has significantly increased in the last 3 years
Organizational support
71% strongly agree that they are receiving the organizational support that they need
Strong internal collaboration
82% participate in strategic/C-suite meetings quarterly or more frequently
62% develop their security strategy in conjunction with other strategies (primarily IT, risk, and operations)
5
© 2014 IBM Corporation
The threat is considered so great that many feel like they are losing the fight
83% say that the challenge posed by external threats has increased in the last three years (42% said dramatically)
59% strongly agree that the sophistication of attackers is outstripping the sophistication of their organization’s defenses
40% say that sophisticated external threats are their top current challenge – the number one area overall
6
External threats will require the most organizational effort over the next three to five years – as much as regulations, new technologies, and internal threats combined
© 2014 IBM Corporation
To better manage risk, security leaders need to start securing ecosystems, not just their own organizations
8
62% strongly agree that the risk level to their organization is increasing due to the number of interactions and connections with customers, partners, and suppliers
86% think that formal industry-related security organizations will become more necessary in the next 3-5 years – but only 42% are currently members of such organizations today
Security leaders are more likely to share threat information with some parties than others
© 2014 IBM Corporation
New technology is seen as the primary way to minimize gaps, but emerging areas may need a different approach
9
54% can not envision new security technologies that are needed beyond what currently exists
72% strongly agree that real time security intelligence is becoming increasingly important to their organization
86% have adopted cloud or have initiatives in the planning stage – of those, three-fourths see their cloud security budget increasing over the next 3-5 years
Only 45% strongly agree that they have an effective mobile device management approach
© 2014 IBM Corporation10
While some established capabilities are widely seen as mature, other important
areas like mobile and device security need to catch up
© 2014 IBM Corporation
Regulations and standards will continue to be major factors – but there is great uncertainty over exactly how
79% said the challenge from regulations and standards has increased over the past three years
Regulations and standards was the #2 area requiring the most organizational effort to address in the next three to five years (46% put it in their top three)
Given possible scenarios for the future, security leaders were most uncertain about whether governments will handle security governance on a national or global level and how transparent they will be
Only 22% think that a global approach to combating cybercrime will be agreed upon in the next three to five years
11
© 2014 IBM Corporation
There are a number of actions security leaders can take today to begin fortifying their organizations for the future
Enhance education and leadership skillsTechnology skills continue to be important, but pure business skills will take on more importance with security leaders’ growing influence
Shore up cloud, mobile, and data securityLeaders are not waiting for future technology capabilities to solve their problems, they are focused on deploying today’s security technologies to minimize their gaps
Engage in more external collaborationLeaders should make a concerted effort to determine how to build trust and clearly assess the security of their ecosystem
Plan for multiple government scenariosRegular dialogue with chief privacy officers and general counsels is essential for leaders to understand what requirements may arise
12
© 2014 IBM Corporation
For more information
David A. JarvisManager, Thought Leadership, IBM Center for Applied Insights
www.ibm.com/ibmcai/cisowww.ibm.com/security/ciso
© 2014 IBM Corporation© 2014 IBM Corporation14
© Copyright IBM Corporation 2014
IBM CorporationNew Orchard RoadArmonk, NY 10504
Produced in the United States of America December 2014
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
Top Related