October 27, 2015 By David Jarvis 3 min read

You’ve been hearing it with increasing frequency over the past few years: In the near future, every business will be a digital business — a de facto software or IT company. It won’t matter what industry you are in. Everything will have an information technology component.

General Electric CEO Jeffrey Immelt now describes his organization as a digital industrial company. GM expects to have 12,000 information technology employees by the end of 2017, up from 1,400 in 2012. IBM’s own Ginni Rometty has addressed it as well, stating that everybody is talking about being a digital company, but simply doing that will just be a start of a broader transformation.

If you combine this ballooning responsibility of IT to the business with the fact that information security and its practitioners are getting more attention, budget, pressure and scrutiny from their respective businesses, something will have to fundamentally change. CISOs and other security leaders are asking, “How do I assess the real security risks to my company? How can I best communicate that risk to the broader organization and manage expectations? Even if I succeed at that, do I have the skills, resources and tools for success?” These are all important questions.

Studying the Link Between Strategy and Risk

This year, IBM sponsored a study by the Darwin Deason Institute for Cyber Security, which is part of the Lyle School of Engineering at Southern Methodist University in Dallas. Researchers conducted 40 in-depth interviews with CISOs to better understand the connections between security investment strategies and reducing risk.

Read the IBM Executive Summary: CISO insights on moving from compliance to risk-based program

CISOs are still seeing extraordinary support from the business and the budget to match. However, having enough of the right people with the right skills was seen as a barrier to execution, sometimes delaying security investments and improvements.

The study also found that security leaders are relying on customized frameworks based on industry standards and best practices to help prioritize risks. These frameworks have become a key lens through which to define risk perception and prioritize investments in security. It is also used as a communications tool with business leaders.

The Changing Role of Security Leaders

The IBM Security team has been following this evolution, and in conjunction with the IBM Center for Applied Insights, have held up a magnifying glass to how the role of security leadership is changing. In 2012, we identified a group of security influencers who saw their security organizations as progressive, ranking themselves highly in both maturity and preparedness. This vanguard had business influence and authority; they were a strategic voice in their enterprises that were more focused on reducing future risk.

In 2013, our research uncovered a set of leading business, technology and measurement practices that security leaders were following. We suggested that security leaders combine a strong strategy with holistic risk management while engendering trust with senior leaders. They had to maintain foundational security technologies, but not at the expense of implementing more advanced and strategic capabilities.

Last year we looked at best practices for fortifying for the future. Some of these included shoring up cloud, mobile and data security, enhancing education and leadership skills, engaging in more external collaboration and planning for multiple government scenarios.

We’ve even taken lessons from higher education and those training the next generation of security professionals. Educators say they need to produce versatile experts who use predictive and behavioral analysis on attackers. Students have to be trained as facilitators between technology and the business, and their curricula must incorporate emerging technologies such as the Internet of Things (IoT).

CISOs Play an Important Role

We see a lot of the same themes across all of this research: a strategic focus, a holistic view of risk, strong communication and acting as the intermediary between IT and business needs.

There is no doubt that the importance of the CISO and other security leaders is increasing, and business leaders are looking to them for counsel. Security leaders are risk leaders. If it’s true that every business will someday be a digital business, then security leaders need to provide the confidence for their organizations to embark on that journey without allowing doubts to be traitors to the transformation.

You can either read a full version of the SMU report or an executive summary, “From Checkboxes to Frameworks: CISO Insights on Moving From Compliance to Risk-Based Programs.”

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today