May 23, 2014 By Martin Borrett 2 min read

The CISO in 2014: Security Strategies for Building Confidence and Trust Amidst Uncertainty

I recently hosted a fascinating panel discussion with three of Europe’s top Chief Information Security Officers (CISOs). I was joined on a live webinar by Norway-based EVRY CISO Kaare Bjørn Martinussen; Paul Hyland, CISO for the Ireland-based Ardagh Group; and Carles Sole Pascual, information security director of Spain’s CaixaBank. This interactive discussion focused on today’s hottest security topics and what was top of mind with these CISOs in 2014. It was interesting for me — and I hope for our audience — to hear their unique insights about the specific challenges and the innovative ways their organizations are approaching today’s evolving threats.

The Changing Role of Today’s CISO

IBM has been doing some interesting work in recent years looking at the evolving role of the chief information security officer. We started that work in early 2012 when we published our “Feeling the Pressure” paper, in which information security leaders shared insights into how they were reinventing the role in the face of accelerating industry change.

We followed this work with our 2012 CISO Assessment, where we looked in detail at more than 130 CISOs from around the world to gain deeper insight into this evolving role. In 2013, we continued this work with a further in-depth assessment interviewing senior security leaders before publishing this latest paper, “A New Standard for Security Leaders.” The report focused on three areas: Business practices, technology maturity and measurement capabilities. Three strong recommendations emerged:

  • Actively build trust at the C-level while broadly communicating an explicit security strategy.
  • Invest in mobile security and advanced technology to directly support the business.
  • Focus on the overall economic impact of risk.

Three Topics That Are Top of Mind for Chief Information Security Officers

With this backdrop, our expert panel discussed a number of key topics: The threat landscape, the role of the CISO, compliance and regulation and investments and priorities for 2014. What really stood out is how fast the landscape is changing, and as I reflect on the discussion, I would posit that there are three main take aways for every CISO:

  1. Organizations are being forced to plan and review far more frequently, from quarterly to monthly. There was far more consistent communication up the chain by the panelists — they don’t just sit in the background. They must, and regularly do, talk to the business; they are “in their face,” as it were. This better engagement with the business leads to budget buy-in and better business alignment. It is important in security discussions to be open but also correct. Accuracy is important; stay factual, otherwise credibility suffers.
  2. From a technology standpoint, there was considerable discussion about the need for improved forensics. However, there is still much work to be done to understand what kind of forensics and data are needed. Now and in the future, what do we need to collect on a daily basis?
  3. One other particularly interesting insight was the move by one of the panelists from a 27001/2 stance towards a PCI mindset. It would be interesting to see whether other organizations are thinking the same way and get deeper into the benefits of such an approach.

These insights fuel the need for further discussion and debate, and I look forward to the next in our series of CISO webinars next quarter. On-demand playback for the webinar is live and can be accessed here.

Insights from the 2013 IBM Chief Information Security Officer Assessment

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today