On paper, in many ways, the state of the CSO appears to be improving. Budgets in many enterprises appear to be headed in the right direction: up. So is staffing. CSOs are also getting to do what they've wanted to do for a decade and are spending more time with the top executives in their organizations.
Yet the question remains, are enterprises getting the results they need? That's tough to say. Attacks are becoming more sophisticated, which in turn requires more complex strategies for securing data. For instance, the most recent Verizon Data Breach Investigations Report found that financially motivated cybercrime and state-affiliated espionage campaigns comprise 95 percent of all attacks. And breaches remain undetected for weeks, months and even years.
Perhaps results like that are why 45 percent of security decision-makers questioned in CSO magazine's annual State of the CSO survey reported that their security budgets will rise this year as compared to last year. That's sharply higher than the 38 percent who reported their budgets would increase in 2012. When evaluated by enterprise size, the survey found organizations with $1 billion or more in annual revenue are the most likely to be planning spending increases—54 percent of them expect budget hikes. The likelihood of spending increases dips to 46 percent for small companies and 35 percent for midsize organizations.
The survey, conducted among 280 respondents involved in security purchasing decisions for their companies, also found that just 7 percent expect budget cuts. That's down significantly from 11 percent in 2011.
Not surprisingly, considering the number of enterprises with budgets on the rise, staffing levels are also expected to grow. Fully 34 percent of respondents expect their organizations' full-time security headcount to increase. Also, fewer expect to cut full-time security staff this year—only 8 percent compared to 14 percent last year.
Once again, it is the larger companies that are most likely to be increasing their security resources, with 42 percent planning staffing increases, compared to 37 percent of midsize and 26 percent of small organizations.
Demand for talent still outstrips supply
This demand for skilled IT security professionals continues to strain organizations' ability to attract security talent. In fact, finding and retaining skilled IT security workers was identified as among the greatest challenges for 31 percent of large companies.
Kim Jones, senior vice president and CSO of Vantiv, likens the information security personnel challenges to some of the challenges the intelligence community faced a decade ago: too much reliance on technology and signal intelligence and not enough on human intelligence and analysis. "Unfortunately, we're not getting enough people with the skills we need," Jones says.
Considering the high demand for skilled IT security talent, it's surprising to find that security profession salaries are flat. Most security decision-makers earn about $179,600, which is nearly a straight line from the $180,100 reported last year. What's less surprising is that the size of the salary depends largely on the size of the company where the security professional works. Professionals at large companies earn $235,600, on average, whereas respondents at small companies earn an average of $147,000 and those at midsize companies average $153,300.
Daniel Kennedy, research director of information security and network practices at 451 Research, says his own findings parallel ours. "It's a very interesting job market dynamic. Enterprises complain that they can't attract talent, they say that they can't keep talent, and [they say] they've tried everything to do so except salary raises," he says.
Top CSO worries include mobility, denial-of-service attacks and awareness
In the year since our previous State of the CSO survey, there have been a number of significant security events. These include the allegations of widespread NSA monitoring highlighted in the Edward Snowden leak and the recently reported theft of the personal information of 38 million Adobe software users, as well as the theft of Adobe product source code that some warn could lead to increased zero day attacks against the software.
These events are becoming incorporated into the mind-set of CSOs, IT security and business management.
Not surprisingly, the security challenge most respondents–54 percent–said they would face in the coming year is managing security and addressing the risks around mobile and bring-your-own-device (BYOD) programs. That's closely followed by cyberthreats from outside the organization, including advanced persistent threats (APTs) and distributed denial-of-service (DDoS) attacks, both at 49 percent. Employee awareness and cooperation, at 48 percent, also ranks among the most common challenges.
Survey results suggest large companies are more worried about both insider and outsider threats, with 56 percent counting APTs and DDoS among their company's greatest challenges while 34 percent point to cyberthreats from insiders.
Steve Phillips, CIO at Avnet, the $25.5 billion electronics distributor, says enterprises could dramatically reduce their vulnerability to such threats by more deeply integrating security into the decision-making processes of the organization and the design of their business-technology systems. "When designing new systems, it's important to make sure that not only is the technical architecture good, but that security is considered and incorporated from the beginning," he says.
Improving employee awareness and cooperation is also a high priority. Phillips says Avnet has increased its focus on employee security awareness in many ways, including sending realistic, yet discernibly fake, phishing emails. Phillips' team kept track of how many people clicked on the socially engineered phishing email as if it were legitimate, as well as who disclosed personal information versus who simply deleted the email. "We track the click-through rates and we counsel those who fell for it," he says.
"This has been quite effective for us, considering the primary goal is to get the organization talking about security in an open and real way," Phillips says.
Higher-Ups Seek Security's Advice
Nearly three-quarters–74 percent–of the security decision-makers we surveyed have seen an increase in the amount of time they spend advising senior executives and other top business decision-makers on security matters. What's more, 79 percent of that group expects their time spent advising senior execs to increase even further over the next three years.
That's certainly welcome news to most CSOs, who have been fighting for a seat at the table for more than a decade. It's a trend Martin Zinaich, information security officer for Tampa, Fla., would like to see more of, as it fosters mutual understanding.
"I think many business leaders still don't understand IT security, unless their industry revolves around risk management, such as large financial and e-commerce firms. Such industries drive great security programs forward because their business can be so easily shattered if there is a large security incident," Zinaich says.
"I think most others often don't fully grasp the risk to their business," he says.
One area where a number of CSOs we interviewed hope to effect change is the corporate reporting structure in which most CSOs operate.
"I've believed for a long time that IT security is so important to the business that it needs to come out of the shadow of the CIO and move to report to a senior level that does not itself report to IT," says Zinaich.
"There is an inherent conflict of interest there in that the CIO wants to move new IT initiatives forward as quickly as possible. Security too often gets in the way of that.
"Unfortunately, I think the ability of CSOs to speak directly to business executives about their security program metrics, the real risks to the business and the overall security posture of the business is still very rare," he says.
The 451 Group's Kennedy agrees. "The way security is organized is a problem in many companies, where security still reports to IT. This impacts how projects and their budgets are decided upon. Compliance tells IT security what they need to do, or the CIO decides what security is going to do," he says.
CIO Phillips says organizations need to implement the reporting structure that makes the most sense for their business, and he says he meets regularly with Avnet's board to give updates on the company's risk-management efforts.
"Like most large corporations, we have a very formal enterprise risk program. And whenever I get to see the board, there are two risks that they always want to talk to me about: [one is] IT security, and the other is disaster recovery and business contingency planning," he says.
Vendors inspire slightly less confidence
That brings the discussion to another area of the report—how cloud computing affects enterprise risk. "When I think of cloud and its impact on risk, I think along the same lines as our board: IT security and disaster recovery," says Phillips.
Phillips explains that while Avnet thoroughly vets cloud providers regarding their security and governance capabilities, there's always a risk when outsourcing. He adds that with disaster recovery, "cloud computing helps because it spreads out the physical locations of your hardware and data."
When decision makers are asked to rate how happy they are with security products and services, product vendors are rated higher than services vendors for overall satisfaction: Fully 75 percent of respondents are satisfied with the security product offerings currently available to them, compared to 64 percent for security services vendors. However, both numbers are down slightly from last year.
The slight uptick in disillusionment with security tools comes at a time when more experienced security professionals believe too many in the industry are becoming overly reliant on technology and aren't focusing enough on outwitting the adversary.
Partly to blame for this technological dependency is the way vendors promote their tools and services as providing easy "solutions" to pressing challenges, according to Jones.
"There are times when the industry's...goals and objectives aren't necessarily aligned with those of us who fight the bad guys every day," he says.
"And there are times when the industry–in promoting what it does to sell products–actually makes things harder for the profession when selling an easy fix."
Also at fault is the way the industry trains its current and future talent, Jones says. "Many of us in the industry are self-taught, and some of us come from military backgrounds, others a more technological background. And we don't always speak the same language when it comes to how we define and approach our problems," he says.
Even college curriculums in IT security don't provide a standardized way to apply critical thinking skills to IT and IT security frameworks, Jones says.
"My concern here is that we are diluting our ability to fight our very intelligent adversaries because we have become so stuff-dependent," he says.
The full State of the CSO however, reveals many positive developments this year, including increased budgets, staff and time with senior executives. Yet there is still more–much more–that needs to be accomplished to get IT security risks to an acceptable level.
George V. Hulme is a freelance security and technology writer based in Minnesota.