Chief security officers becoming more strategic, says IBM

Critical importance of CISO role increasingly recognised by the best companies - survey

The role of chief information security officers has risen in status as high-profile hacking and data breaches have highlighted the central importance of security to the modern organisation.

CISO's roles have become more strategic, shifting towards intelligence and risk-management as they are increasingly expected to anticipate potential problems and mitigate the risks they may pose before they strike.

These are some of the key highlights of a survey of 130 CISOs across the world, conducted by computer giant IBM. The company suggests that a combination of high-profile computer security breaches and the recognition of the importance of security to mobile commerce is responsible for the elevated responsibility that CISOs are starting to enjoy today.

David Jarvis, one of the authors of the report and a senior consultant at the IBM Center for Applied Insights, said that a "new class" of CISO leaders were emerging with the ability to articulate a strategic voice, enabling them to be more proactive in the organisation.

"We see the path of the CISO now maturing in a similar pattern to the CFO from the 1970s, [and] the CIO from the 1980s – from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organisations," said Jarvis.

As a result, two-thirds of the respondents said that they expected spending on information security to increase over the next two years – with 90% of those expecting double-digit increases.

Overall, IBM noted the following characteristics of a mature security practice:

• Security is increasingly regarded as a business imperative: 60 per cent of respondents said that security is a regular topic of discussion in the boardroom, while the most forward-thinking of organisations, claimed IBM, will have established a security steering committee to ensure that their organisation's approach to security is robust and systemic;

• Use of data-driven decision making to drive decision making;

• Shared budgetary responsibility across the ‘CxO' level: While CIOs typically have control of the information security budget, investment authority more often lies with business leaders. And the more advanced an organisation, the more likely security investment decision-making would be driven by the CEO.

"Security in a hyper-connected era presents a new set of challenges, but these can be greatly eased by implementing innovative practices and adopting a more integrated, holistic approach," said Marc van Zadelhoff, vice president of strategy at IBM Security Systems.