You’ve been hearing it with increasing frequency over the past few years: In the near future, every business will be a digital business — a de facto software or IT company. It won’t matter what industry you are in. Everything will have an information technology component.

General Electric CEO Jeffrey Immelt now describes his organization as a digital industrial company. GM expects to have 12,000 information technology employees by the end of 2017, up from 1,400 in 2012. IBM’s own Ginni Rometty has addressed it as well, stating that everybody is talking about being a digital company, but simply doing that will just be a start of a broader transformation.

If you combine this ballooning responsibility of IT to the business with the fact that information security and its practitioners are getting more attention, budget, pressure and scrutiny from their respective businesses, something will have to fundamentally change. CISOs and other security leaders are asking, “How do I assess the real security risks to my company? How can I best communicate that risk to the broader organization and manage expectations? Even if I succeed at that, do I have the skills, resources and tools for success?” These are all important questions.

Studying the Link Between Strategy and Risk

This year, IBM sponsored a study by the Darwin Deason Institute for Cyber Security, which is part of the Lyle School of Engineering at Southern Methodist University in Dallas. Researchers conducted 40 in-depth interviews with CISOs to better understand the connections between security investment strategies and reducing risk.

Read the IBM Executive Summary: CISO insights on moving from compliance to risk-based program

CISOs are still seeing extraordinary support from the business and the budget to match. However, having enough of the right people with the right skills was seen as a barrier to execution, sometimes delaying security investments and improvements.

The study also found that security leaders are relying on customized frameworks based on industry standards and best practices to help prioritize risks. These frameworks have become a key lens through which to define risk perception and prioritize investments in security. It is also used as a communications tool with business leaders.

The Changing Role of Security Leaders

The IBM Security team has been following this evolution, and in conjunction with the IBM Center for Applied Insights, have held up a magnifying glass to how the role of security leadership is changing. In 2012, we identified a group of security influencers who saw their security organizations as progressive, ranking themselves highly in both maturity and preparedness. This vanguard had business influence and authority; they were a strategic voice in their enterprises that were more focused on reducing future risk.

In 2013, our research uncovered a set of leading business, technology and measurement practices that security leaders were following. We suggested that security leaders combine a strong strategy with holistic risk management while engendering trust with senior leaders. They had to maintain foundational security technologies, but not at the expense of implementing more advanced and strategic capabilities.

Last year we looked at best practices for fortifying for the future. Some of these included shoring up cloud, mobile and data security, enhancing education and leadership skills, engaging in more external collaboration and planning for multiple government scenarios.

We’ve even taken lessons from higher education and those training the next generation of security professionals. Educators say they need to produce versatile experts who use predictive and behavioral analysis on attackers. Students have to be trained as facilitators between technology and the business, and their curricula must incorporate emerging technologies such as the Internet of Things (IoT).

CISOs Play an Important Role

We see a lot of the same themes across all of this research: a strategic focus, a holistic view of risk, strong communication and acting as the intermediary between IT and business needs.

There is no doubt that the importance of the CISO and other security leaders is increasing, and business leaders are looking to them for counsel. Security leaders are risk leaders. If it’s true that every business will someday be a digital business, then security leaders need to provide the confidence for their organizations to embark on that journey without allowing doubts to be traitors to the transformation.

You can either read a full version of the SMU report or an executive summary, “From Checkboxes to Frameworks: CISO Insights on Moving From Compliance to Risk-Based Programs.”

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…