News Analysis: IBM study shows CISOs fear cloud and mobile but are deploying it

22 October 2013

As emerging technologies like cloud and mobile computing present new opportunities, the risk to data security grows but the efficiency, operational and customer benefits mean it cannot be ignored, says IBM’s latest CISO Assessment.

The study of 138 chief information security officers (CISOs) by IBM shows that information security professionals at banks, businesses and in the public sector also understand that the cloud and mobile technology can be used in the fight against fraud and data leaks too, with 76% of respondents saying they’ve deployed some type of cloud security service recently. Over a third, 39%, said they are going to introduce a mobile enterprise strategy for bring your own device (BYOD) or an incident response policy (27%) to try to protect company networks.

The enthusiasm for the mobile channel as a means to fight fraud and data insecurity is admirable but with 66% of respondents to the IBM survey saying that they are ‘planning to do something’ - that means only a minority has actually done so. With the consumerisation of IT trend apparent for a number of years now, and smartphones penetrating more and more aspects of society and the workplace, CISOs really should have a BYOD policy in place ASAP and this appears to highlight a gap that needs rectifying.

The IBM CISO Assessment 2013 is based on last year’s polling and qualitative interviews with 41 senior CISOs this year from the US, UK, Japan and Germany who are all in charge of at least 1,000 employees (sometimes up to 10,000 or more). The idea is to refresh the research and try to ascertain the 2013 trends.

Three obvious trends emerge, comprising of the need to establish clear boardroom-supported business practices; technologically mature IT estates; and to have effective measurement capabilities.

The 2013 IBM study examines these three key CISO trends to try to outline a set of leading best practice guidelines, established by talking to practitioners, which can then be used to define the role of the security officer and help others advance their skillset. The conclusion is that the job of the CISO is becoming more strategic, with management and technology skills increasingly a necessity. This should be the focus for CISOs for next year.

The main priority areas identified for CISOs are:

Business practices: The CISOs interviewed by IBM stressed the need for strong business vision, strategy and policies, comprehensive risk management, and effective business relations and boardroom support in order to be successful in their roles. Understanding the concerns of their C-suite is also critical. More mature security leaders meet regularly with their board and C-suite, thereby improving relations.

When CISOs meet with the board, the top topics that they discuss include:
–Identifying and assessing risks (59%).
–Resolving budget issues and requests (49%).
–New technology deployments (44%). The challenge for security leaders is to successfully manage the diverse security concerns of the business, while explaining information security initiatives and obtaining wide-scale organisational support.

Technology maturity: Mobile security is the number one ‘most recently deployed’ security technology, with one-quarter of CISOs surveyed by IBM deploying it in the past 12 months alone, but deployment is starting from a low base. Although privacy and security in a cloud environment are still concerns, three-fourths (76%) of IT security leaders have already deployed some type of cloud security service - the most popular being data monitoring and audit, along with federated identity and access management (both at 39%).

While the cloud and mobile continue to receive a lot of attention within many organisations, foundational technologies that CISOs are focusing on in particular include:

–Identity and access management (51%).
–Network intrusion prevention and vulnerability scanning (39%).
–Database security (32%).

The primary mobile challenge for security leaders is to advance beyond the initial steps and think less about technology and more about policy and strategy. Less than 40% of organisations have deployed specific response policies for personally owned devices or an enterprise strategy for bring your own device (BYOD). It is good to see that 39% plan to introduce a BYOD policy in the next year and 27% institute a lost device or incident response policy, but these should already be in place. CISOs should get moving on these policy rollouts.

Measurement capabilities: CISOs mainly use metrics at the moment to guide budgeting and to make the case for new technology investment, finds the IBM CISO Assessment 2013 report. In some cases, infosec practitioners use measurements to help develop strategic priorities for the security organisation, but there is not enough of this. At present, technical and business metrics are still too focused on operational issues such as how many distributed denial of service (DDoS) or other attacks have been fought off. For example, over 90% of respondents track the number of security incidents, lost or stolen records, data or devices, and monitor audit and compliance status. That is all fine, but far fewer (just 12%) are feeding business and security measures into their overall enterprise risk procedures – this is despite the majority saying that protecting the entire enterprise is their key aim. There is a need for more coordination, board reporting and less siloed policies.

“It’s evident in this study that security leaders need to focus on finding the delicate balance between developing a strong, holistic security and risk management strategy, while still implementing everyday operational strategic capabilities, such as mobility access and mobile IP identifications or rolling out BYOD policies,” said David Jarvis, a manager at the IBM Center for Applied Insights and lead author of the report.

In other words it is time for the CISO to come away from the server face and start getting involved in the boardroom and developing better communication and management skills if he or she is to better protect their organisation against the growing cyber-security threat that has been evident all year from attacks like the $6bn Liberty Reserve money laundering scam; the rise of Ripple, Bitcoin and other non-traditional digital currencies; and attacks like the recent one where a Barclays branch IT system was taken over by criminals.

The need for better CISO skills was highlighted at the recent Sibos 2013 Technology Forum in Dubai, UAE, and by SWIFT’s CISO Michael Fish, who highlighted it as one of his key areas of focus during an earlier bobsguide interview.

By Neil Ainger

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development