Sowing the Seeds of Strategic Security

As information security gains more status in the organization, security improves.

. What's this?

By

October 01, 2005CSO

ITâ¬"s clear from the data that respondents spend most of their time in reactive mode: responding to incidents, deploying firewalls, and dealing with everyday nuisances like spam and spyware. Ironically,the most common proactive step respondents take is to develop business continuity and disaster recovery plans. So even their proactive steps are investments in reactive measures.

Having said that, a few numbers did pop out that suggest that the foundation is being laid for a time when information security may become more strategic. This year more companies employed security executives and focused on integration between physical and information than in the two previous years.

â¬SSecurity has gotten more visibility since I started watching this sector11 years ago, no doubt,⬝ Lobel says. â¬SMost encouraging is the combinationof physical and information controls. All business eventually will have an e-business component, and as business evolves, security has to evolve with it and include physical and information security in equal proportions. Some of the data is starting to show that evolution, but weâ¬"re clearly not there yet.⬝

Securityâ¬"s rising profile is most encouraging when you cross-reference the governance numbers with effectiveness. Those companies where the function resides near the top have a far better security posture than the average respondent. Security is more strategic at those companies that have elevated the role. For example, only 37 percent of respondents said they have an overall security strategy. At companies with CSOs, that number leaps to 62 percent. Likewise, 80 percent of companies with CSOs also employed a CISO or equivalent, compared with about 20 percent overall.

Companies with an executive security function also reported that their spending and policies are more aligned with the business and that a higher percentage of theiremployees comply with internal information security policies. Companies witha security chief also measured and reviewed information security policiesmore than those without a security executive, and they were far more likelyto prioritize information assets by risk level.

Resources are dialed up at companies with a security executive too. They averaged more full-time employees at their companies and higher budgets. They were almost twice as likely to have a security budget separate from the IT budget and, while they were equally likely to get additional monies for security from the IT department, companies with executive infosec leaders reported getting more money more often from other lines of business, such as legal, risk, and compliance and regulatorygroups.

Companies that havenâ¬"t elevated the role out number those that have. But if companies that have elevated information security tend to act more strategically (and more companies are doing that), then it follows that information security is getting more strategic. Itâ¬"s early on in the trend, but itâ¬"s a positive.

Read more about data protection in CSOonline's Data Protection section.

Other stories by Scott Berinato

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER