A quarter of all company security leaders have deployed mobile security in the past month, but they’re still playing “catch-up” as they try to wrap policies and technology around the Bring Your Own Device (BYOD) trend. That’s one of the findings in the second annual IBM assessment of Chief Information Security Officers (CISOs). 

IBM - CISO.png
Some characteristics of highly effective security leaders, from new IBM report

The report, “A New Standard for Security Leaders,” is a follow-up to last year’s study, “Finding a Strategic Voice,” which focused more on assessing the maturity and effectiveness of security leaders. David Jarvis, co-author of the report and manager for the IBM Center for Applied Insight, told CMSWire.com that this year's report is targeted more at business practices, technology maturity and measurement capabilities.

The study found experienced information security leaders give “similar advice” when asked how they would advise a new CISO. The advice included developing a strong vision, strategy, policies and comprehensive risk management, maintaining effective business relations and building trust through “communicating in a transparent, frequent and credible way.”

The report found the most important business concern across an organization is avoiding the loss of brand reputation or customer trust. These can be impacted in a variety of ways, including data breaches, data theft and cybercrime. But IBM reported only 24 percent of the interviewed leaders regularly track the impact of a security issue on brand reputation or customer trust — meaning the non-trackers don’t know the true impact of an event.

Key Tool: Security Technology

Even though many security leaders are focusing some of their attention on risk management, stronger business relationships and better communication, their key tool remains security technology. The report noted that slightly more than half of the respondents defined the most “foundational and functional” security technologies as enterprise identity and access management, followed by network intrusion prevention/vulnerability scanning (39 percent) and database security (32 percent).

Others, identified by 20 percent or less of respondents, include advanced malware detection, security intelligence analytics and alternative authentication mechanisms.

Cloud Security

Cloud security remains a major concern, and more than three-fourths of interviewees have deployed a cloud security service, chief of which are data monitoring and auditing, tied at 39 percent with federated identity and access management.

Mobile security, ranked as the top security concern in the last IBM assessment on this subject, is still considered the most important and the most deployed. But security technologies and measures are still evolving, as companies try out different approaches and technologies. Seventy-eight percent of respondents said their companies use mobile device management technology and nearly the same percentage, 76 percent, said they also inventory devices using corporate data or the network.

But the biggest challenge, the report said, is to go beyond these and similar technological steps by focusing on policy and strategy. Even though BYOD is widely practiced, less than 40 percent of organizations said they have specific policies or overall enterprise strategy for personally owned devices. Many of the security leaders are trying to catch up with the speed with which mobile has entered business life. Thirty-nine percent said developing an enterprise strategy for BYOD is the top planned area of development, while 27 percent cited an incident response policy.

Recommended Steps

The report offers some “essential steps” toward improving the performance of CISOs, or anyone in a company who has taken on the responsibility, even if not the title, of Primary Protector of Informational Security.

In terms of business practices, IBM advises that security leaders formalize their role, establish a security strategy and build trust. Essential steps for technology include investing in advanced tech when it meets a business goal, fortifying mobile security and sharing information with other groups outside of your organization, while steps toward better measurement include focusing on the actual economic impact, tracking reputational risk and translating metrics into financial impact.

Jarvis said that “only about a quarter of organizations are collaborating outside their walls,” a practice that he called “extremely important” because of the need to share information on what works, what threats are brewing, how liability can be reduced and how collaborative resources can reduce costs.

He added that good practices could extend even to Mom and Pop companies that barely have an IT person, much less one devoted entirely to security. “If you’re a Mom and Pop,” Jarvis said, be sure you “understand how security issues could impact your business,” as this knowledge will help guide the steps you take to protect yourself.