The 2012 State of the CSO survey shows progress toward a deeper level of business understanding and a wider knowledge of risk management
Our annual State of the CSO survey finds a continuation of a two-part trend that we have been tracking for many years: First, there is more awareness of security and risk among companies, and second, in response, many organizations are using more formal enterprise risk management (ERM) programs. These policies, processes, methods, metrics and measurements help shape the strategic decisions for their organization. The goal is to make security strategy both targeted and holistic, proactive and defensive.
The survey gathered responses from 228 security professionals in a broad range of industries. Among those polled, 66 percent say their organization's leadership (that is, the CEO and board of directors) placed more value on risk management in the past year. That's a solid number, even higher than the 61 percent result in 2011.
[Also read The decade of the CSO]
And with that perceived value comes corresponding support, in the form of money and staff. Thirty-two percent of respondents expect to add to their full-time security headcount, and 45 percent expect their organization's overall security budget to increase in the coming year. Another 42 percent think their budget will stay the same; just 11 percent expect it to decrease. (Two percent were not sure.)
While the budget is growing, the prevalence of formal ERM programs is holding steady. The survey found that 56 percent of those polled say their organization now uses a formal ERM process or methodology that incorporates multiple types of risk and that goes beyond just physical and IT security. That's consistent with our findings in the past two years.