Security is very old in most respects, yet very young in others. As a corporate discipline, security unfortunately languished for years in the basement.
Today, as organizations come to grips with a wide swath of risks, the 2010 State of the CSO survey shows those organizations are rapidly adopting more sophisticated view of security. Of course, there's more work to be done—most prominently in the areas of security metrics and awareness programs.
Let's look at the numbers.
1. How well does each statement describe your organization? (Percent who agree or strongly agree with each statement.)
|Senior management has established a security policy and auditing process||23%||81%|
|Senior management views the security leader's role as strategic and permanent||17%||72%|
|Security is viewed as essential to business as opposed to an overhead cost||25%||66%|
|Security considerations are a routine part of your company's business processes||28%||63%|
|All employees receive training in all security policies||38%||78%|
|All employees know the sanctions and consequences of a security policy breach||42%||63%|
|All managers in the organization understand their roles and responsibilities in regards to security||45%||44%|
|All employees consider security to be part of their everyday responsibilities||38%||40%|
Take a moment to reflect on the enormous progress reflected in the chart above.
Six years ago, respondents reported a generally low regard for security risk management within their companies. Policies were not defined. Security leaders were sidelined. Training was minimal.
Today's scenario is different on almost every score; 2010 respondents indicate that security programs are well established in most companies, including policies, personnel and training.
Other than Internet marketing, has any other corporate discipline enjoyed such a rapid and widespread rise in credibility during the same decade? At the risk of falling into a cheerleader role, this is worth noting and celebrating. Current events have clearly been a huge driving factor, but today's security leaders still deserve a pat on the back for helping craft the right organizational response to today's threats.
These 2010 numbers aren't a fluke. Progress in each area has been steadily upward over the years.
Having said that, those upward trends highlight the lack of progress in the bottom two issues. (See next chart for more detail.)
2. How well does each statement describe your organization? (Percent who agree or strongly agree with each statement. A breakout of 2010 data from chart 1 above, by company size)
|At big companies||At small companies|
|All managers in the organization understand their roles and responsibilities in regards to security||39%||53%|
|All employees consider security to be part of their everyday responsibilities||33%||44%|
This chart digs into a bit more detail on the two lagging issues noted in the first chart. In most awareness issues, big companies tend to score better than small companies. In these two, however—where overall progress is lacking—smaller companies actually report higher scores than their larger brethren.
We first noted this gap last year, and it persists this year. In last year's survey write-up, we wondered whether this indicates that larger companies are overly reliant on process. A bigger organization naturally tends more toward specialization, which isn't bad, but it can lead to stovepiping, which is. Employees and managers at smaller companies may be more likely to think of their job descriptions as ending with, "and other duties as necessary."
That may be true. But presented with this data, one CSO offers a simple and clear explanation: "I would suggest this is all down to security management failing to communicate adequately with their audience," says Brian Connor, CSO of Genpact, based in Gurgaon, India.
So what to do about it? Jason Richards, CISO for the Virginia Community College System, prescribes better-tailored awareness programs. This means exercises and examples using the specific data or assets the trainees handle every day. That's more work than creating a one-size-fits-all newsletter and poster set.
On the other hand, the data suggests that the blanket approach simply isn't very effective.
3. Which of the following methods and calculations do you apply in the security budgeting process?
|Return on Investment||46%||34%|
|Total Cost of Ownership||39%||32%|
|Annual Loss Expectancy||14%||13%|
|Net Present Value||N/A||10%|
|Economic Value Added||16%||9%|
|No formal methodology||42%||51%|
(Respondents could select multiple answers.)
It's easy to look at this chart, indicating a slow retrenchment in the use of specific common financial methodologies, and say this is another area where progress is not being made.
These methodologies are the standard language of business. However, they are notoriously difficult to apply to security with any confidence. For example, annual loss expectancies (a key data point in many calculations) derived from one industry may look fishy to companies in another industry.
"I think they are difficult, though not impossible, to use in the security area. People may start using them, but then find them cumbersome" and give up on them, says Richards.
So we'll stop short of calling a drop in economic value added (EVA) usage a step backward for security. However, the obstinate persistence of "no formal financial methodology" remains troubling. If those specified in the survey don't work, security as a field needs to develop credible alternatives if it wants to achieve long-term success. John Petrie, CISO at Harland Clarke Holdings, notes that while none of the methods listed here are perfect for capturing the value of security, they may be a start in piecing together the puzzle.
Calculating the value of security "encompasses much more than this type of data," Petrie wrote in an e-mail response. "It also includes revenue numbers (or loss thereof), cost for response to incidents (per-record cost), and risks—reputational or otherwise—which are not easily calculated. I think people are developing new, holistic ways to communicate the security value," Petrie says, "and using new measurements, in addition to traditional ones such as total cost of ownership (TCO), ROI, and EVA, to support the statement. As an example, deploying a data leakage protection solution is difficult to sell to leadership using just TCO or ROI," he says. But when it's combined with the ability to block employees from inadvertently sending out confidential data or intellectual property, he says, it "becomes a more powerful value statement. It becomes less of a cost discussion and more of an 'acceptable risk' discussion."
4. Compared to the past 12 months, how will your overall security budget change?
|Stay the same||52%|
Setting aside the long-term picture for a moment, what does the near future hold? For most security departments, steady resources or a modest uptick. That's not surprising, as it mirrors the general direction of the world's economy.
5. In the past 12 months, has your organization's leadership placed more value or less value on risk management?
Respondents also say their organizations' leadership has placed more value on risk management in the past 12 months—or at least no less value. This continues the general trend of the past several years, although the percent responding "more value" was at a peak a few years back (69 percent in the 2006 survey).
6. Does your organization use a formal enterprise risk management process or methodology that incorporates multiple types of risk?
The rise of formal enterprise risk management (ERM) has exceeded all but the most optimistic predictions. ERM may in fact be the replacement for the languishing financial methodologies noted above.
Jeff Spivey, President of Security Risk Management, reported at the CSO Perspectives conference in April that companies with a demonstrable ERM effort can receive better credit ratings. Better credit ratings allow companies to borrow money at lower interest rates.
CSOs should not fail to seize on that fact, as it hits the corporate bottom line quite directly. At this time, developing a full-fledged ERM program and working with your colleagues to mature that program may be a higher priority than working out the details of EVA or cost-based accounting.
7. In the past 12 months, how has the amount of time spent on regulatory compliance changed?
The amount of time spent on regulatory compliance continues to rise. As these demands grow, so does the necessity of establishing a clear, efficient program for achieving and documenting compliance.
About the survey and respondents:
The State of the CSO survey was adminstered online to a qualified sample of CSO's audience. Findings are based on responses from 227 security professionals.
Respondents represented a broad range of industries including government and nonprofits (26%), financial services (22%), high tech/telecom/utilities (15%), manufacturing (12%), healthcare (9%) and others.
Respondents report involvement in numerous security-related responsibilities including information security, privacy, fraud protection, investigations, audit, personnel security and more.