The 2012 State of the CSO survey shows progress toward a deeper level of business understanding and a wider knowledge of risk management
October 01, 2012
The saying goes that in every crisis, there is an opportunity.
Compliance requirements, data and privacy demands, and the threat
landscape are constantly evolving, forcing companies to realize the
importance of security and invest accordingly. As security concerns
expand, so does the role of the security leader.
Our annual State of the CSO survey finds a continuation of a two-part
trend that we have been tracking for many years: First, there is more
awareness of security and risk among companies, and second, in response,
many organizations are using more formal enterprise risk management (ERM) programs.
These policies, processes, methods, metrics and measurements help shape
the strategic decisions for their organization. The goal is to make
security strategy both targeted and holistic, proactive and defensive.
The survey gathered responses from 228 security professionals in a
broad range of industries. Among those polled, 66 percent say their
organization's leadership (that is, the CEO and board of directors)
placed more value on risk management in the past year. That's a solid
number, even higher than the 61 percent result in 2011.
And with that perceived value comes corresponding support, in the
form of money and staff. Thirty-two percent of respondents expect to add
to their full-time security headcount, and 45 percent expect their
organization's overall security budget to increase in the coming year.
Another 42 percent think their budget will stay the same; just 11
percent expect it to decrease. (Two percent were not sure.)
While the budget is growing, the prevalence of formal ERM programs is
holding steady. The survey found that 56 percent of those polled say
their organization now uses a formal ERM process or methodology that
incorporates multiple types of risk and that goes beyond just physical
and IT security. That's consistent with our findings in the past two
years.
The State of the CSO results demonstrating the maturation of the
security leader role are mirrored in IT-specific research from Wisegate,
a professional network for security executives to share information.
Wisegate found that the CISO's role is shifting from "a glorified IT
security administrator, babysitting firewalls and cleaning malware from
infected systems, to holistic risk management—from firefighting security
breaches to anticipating fires before they start."
According to a recent Wisegate member poll, close to 100 percent of
participants say they have combined information security and risk
management responsibilities. Growing compliance requirements and the general threat landscape were cited as the two primary drivers of their increasing risk management responsibilities.
Philip Agcaoili, CISO with Cox Communications, the third-largest
cable operator in the United States, has been a security executive for
over a decade. A self-proclaimed "joiner," he says he has been
networking with others in security since he became Verisign's first CSO
in 1998, and he has since held several CSO positions. He has seen these
changes coming for years, he says.
"I think gravity took its course," says Agcaoili. "At the end of the
day, no security organization I've been a part of has ever had infinite
resources. Risk management was a way to ingest findings or issues,
determine the risk to the company, and articulate to the business what
the risks were. And it helped us prioritize with the business with what
needed to get done."
CXO Media Inc.
No hay comentarios:
Publicar un comentario