October 27, 2015 By David Jarvis 3 min read

You’ve been hearing it with increasing frequency over the past few years: In the near future, every business will be a digital business — a de facto software or IT company. It won’t matter what industry you are in. Everything will have an information technology component.

General Electric CEO Jeffrey Immelt now describes his organization as a digital industrial company. GM expects to have 12,000 information technology employees by the end of 2017, up from 1,400 in 2012. IBM’s own Ginni Rometty has addressed it as well, stating that everybody is talking about being a digital company, but simply doing that will just be a start of a broader transformation.

If you combine this ballooning responsibility of IT to the business with the fact that information security and its practitioners are getting more attention, budget, pressure and scrutiny from their respective businesses, something will have to fundamentally change. CISOs and other security leaders are asking, “How do I assess the real security risks to my company? How can I best communicate that risk to the broader organization and manage expectations? Even if I succeed at that, do I have the skills, resources and tools for success?” These are all important questions.

Studying the Link Between Strategy and Risk

This year, IBM sponsored a study by the Darwin Deason Institute for Cyber Security, which is part of the Lyle School of Engineering at Southern Methodist University in Dallas. Researchers conducted 40 in-depth interviews with CISOs to better understand the connections between security investment strategies and reducing risk.

Read the IBM Executive Summary: CISO insights on moving from compliance to risk-based program

CISOs are still seeing extraordinary support from the business and the budget to match. However, having enough of the right people with the right skills was seen as a barrier to execution, sometimes delaying security investments and improvements.

The study also found that security leaders are relying on customized frameworks based on industry standards and best practices to help prioritize risks. These frameworks have become a key lens through which to define risk perception and prioritize investments in security. It is also used as a communications tool with business leaders.

The Changing Role of Security Leaders

The IBM Security team has been following this evolution, and in conjunction with the IBM Center for Applied Insights, have held up a magnifying glass to how the role of security leadership is changing. In 2012, we identified a group of security influencers who saw their security organizations as progressive, ranking themselves highly in both maturity and preparedness. This vanguard had business influence and authority; they were a strategic voice in their enterprises that were more focused on reducing future risk.

In 2013, our research uncovered a set of leading business, technology and measurement practices that security leaders were following. We suggested that security leaders combine a strong strategy with holistic risk management while engendering trust with senior leaders. They had to maintain foundational security technologies, but not at the expense of implementing more advanced and strategic capabilities.

Last year we looked at best practices for fortifying for the future. Some of these included shoring up cloud, mobile and data security, enhancing education and leadership skills, engaging in more external collaboration and planning for multiple government scenarios.

We’ve even taken lessons from higher education and those training the next generation of security professionals. Educators say they need to produce versatile experts who use predictive and behavioral analysis on attackers. Students have to be trained as facilitators between technology and the business, and their curricula must incorporate emerging technologies such as the Internet of Things (IoT).

CISOs Play an Important Role

We see a lot of the same themes across all of this research: a strategic focus, a holistic view of risk, strong communication and acting as the intermediary between IT and business needs.

There is no doubt that the importance of the CISO and other security leaders is increasing, and business leaders are looking to them for counsel. Security leaders are risk leaders. If it’s true that every business will someday be a digital business, then security leaders need to provide the confidence for their organizations to embark on that journey without allowing doubts to be traitors to the transformation.

You can either read a full version of the SMU report or an executive summary, “From Checkboxes to Frameworks: CISO Insights on Moving From Compliance to Risk-Based Programs.”

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today