From Checkboxes to Frameworks: CISOs as Risk Leaders

You’ve been hearing it with increasing frequency over the past few years: In the near future, every business will be a digital business — a de facto software or IT company. It won’t matter what industry you are in. Everything will have an information technology component.

General Electric CEO Jeffrey Immelt now describes his organization as a digital industrial company. GM expects to have 12,000 information technology employees by the end of 2017, up from 1,400 in 2012. IBM’s own Ginni Rometty has addressed it as well, stating that everybody is talking about being a digital company, but simply doing that will just be a start of a broader transformation.

If you combine this ballooning responsibility of IT to the business with the fact that information security and its practitioners are getting more attention, budget, pressure and scrutiny from their respective businesses, something will have to fundamentally change. CISOs and other security leaders are asking, “How do I assess the real security risks to my company? How can I best communicate that risk to the broader organization and manage expectations? Even if I succeed at that, do I have the skills, resources and tools for success?” These are all important questions.

Studying the Link Between Strategy and Risk

This year, IBM sponsored a study by the Darwin Deason Institute for Cyber Security, which is part of the Lyle School of Engineering at Southern Methodist University in Dallas. Researchers conducted 40 in-depth interviews with CISOs to better understand the connections between security investment strategies and reducing risk.

Read the IBM Executive Summary: CISO insights on moving from compliance to risk-based program

CISOs are still seeing extraordinary support from the business and the budget to match. However, having enough of the right people with the right skills was seen as a barrier to execution, sometimes delaying security investments and improvements.

The study also found that security leaders are relying on customized frameworks based on industry standards and best practices to help prioritize risks. These frameworks have become a key lens through which to define risk perception and prioritize investments in security. It is also used as a communications tool with business leaders.

The Changing Role of Security Leaders

The IBM Security team has been following this evolution, and in conjunction with the IBM Center for Applied Insights, have held up a magnifying glass to how the role of security leadership is changing. In 2012, we identified a group of security influencers who saw their security organizations as progressive, ranking themselves highly in both maturity and preparedness. This vanguard had business influence and authority; they were a strategic voice in their enterprises that were more focused on reducing future risk.

In 2013, our research uncovered a set of leading business, technology and measurement practices that security leaders were following. We suggested that security leaders combine a strong strategy with holistic risk management while engendering trust with senior leaders. They had to maintain foundational security technologies, but not at the expense of implementing more advanced and strategic capabilities.

Last year we looked at best practices for fortifying for the future. Some of these included shoring up cloud, mobile and data security, enhancing education and leadership skills, engaging in more external collaboration and planning for multiple government scenarios.

We’ve even taken lessons from higher education and those training the next generation of security professionals. Educators say they need to produce versatile experts who use predictive and behavioral analysis on attackers. Students have to be trained as facilitators between technology and the business, and their curricula must incorporate emerging technologies such as the Internet of Things (IoT).

CISOs Play an Important Role

We see a lot of the same themes across all of this research: a strategic focus, a holistic view of risk, strong communication and acting as the intermediary between IT and business needs.

There is no doubt that the importance of the CISO and other security leaders is increasing, and business leaders are looking to them for counsel. Security leaders are risk leaders. If it’s true that every business will someday be a digital business, then security leaders need to provide the confidence for their organizations to embark on that journey without allowing doubts to be traitors to the transformation.

You can either read a full version of the SMU report or an executive summary, “From Checkboxes to Frameworks: CISO Insights on Moving From Compliance to Risk-Based Programs.”

Share this Article:
David Jarvis

Security and CIO Lead for the IBM Institute for Business Value

David Jarvis is the Security and CIO Lead for the IBM Institute for Business Value. He is responsible for developing and executing an agenda that explores emerging business and technology topics for those areas. He is a passionate expert in the development and management of market insights, thought leadership and strategic foresight projects, and has held multiple positions at IBM in those areas. He is the author of numerous cybersecurity thought leadership reports, including the 2012–2014 IBM CISO Assessments. In addition to his research responsibilities, David teaches on business foresight and creative problem solving.