State of the CSO 2008: Powering Up
Our exclusive 2008 State of the CSO survey shows growth on almost every front in the battle to engrain security and risk management into every business.
By Derek Slater
June 27, 2008 — Our exclusive 2008 State of the CSO survey shows growth on almost every front in the battle to engrain security and risk management into every business. We heard from senior leaders on everything from organizational charts and strategic priorities to daily duties. Let's dive into the key findings:
1. More Power to You
Where security reports on the organizational chart is a good barometer of the profession's standing. For the first time, the number of respondents who report directly to the CEO of president of their organization is equal to the number reporting to the technical function. That's the first sign of expanding influence.
To whom do you directly report?
| 2008 | 2003 | |
|---|---|---|
| CIO or CTO | 22% | 30% |
| CEO/President | 21% | 12% |
| COO/Equivalent | 11% | 6% |
| CFO/Equivalent | 5% | 5% | General Counsel/Legal | 4% | 2% |
| Other | 37% | 34% |
***
Certifications remain important, but the big story here is the encouraging increased number of security leaders who hold an MBA. In 2003, 14 percent of respondents could hang an MBA on their office wall. Today, that number has risen to more than a quarter of respondents.
Which of the following degrees and/or certifications do you hold? h3>
| (Multiple responses possible.) | |
|---|---|
| MBA | 26% |
| CISSP | 23% |
| Military or law enforcement | 3% |
| CPP | 11% |
| JD | 3% |
| PhD | 3% |
***
Tenure is on the rise, offering further evidence that the security leadership position is becoming more stable and mature. And perhaps, just perhaps, that the "fall guy syndrome," in which CSOs served as handy scapegoats, regardless of who accepted a particular business risk, is receding.
How long have you been in your current position?
| (Numbers do not total 100% due to rounding.) | |
|---|---|
| Less than one year | 8% |
| Between one year and two years | 13% |
| Between two and three years | 20% |
| Between three and five years | 21% |
| Between five and 10 years | 23% |
| More than 10 years | 16% |
***
While I.T. remains a common background for survey respondents (in all likelihood indicating that the title CSO is still held by information-security-only leaders in a lot of companies), a wide variety of other experiences shape the security function.
What is your background?
| Multiple responses possible. | |
|---|---|
| Information systems | 58% |
| Business operations (sales, admin, etc.) | 24% |
| Military | 18% |
| Physical security | 18% |
| Audit | 16% |
| Law enforcement | 16% |
| Legal | 4% |
| Other | 13% |
2. Changing World, Changing Job
Org charts aside, here's direct and resounding indication that the corporate world has awakened to risk management.
In the past 12 months, has your organization's leadership placed more, less or the same value on risk management?
| More value | 62% |
| No change | 32% |
| Less value | 6% |
And here's one likely reason for risk management's greater value: more laws. While it has been a quiet year (relatively) for new federal laws, companies still face an expanding list of state disclosure laws, new PCI application security requirements, and rolling deadlines such as the FACT Act's Red Flag Rules.
In the past 12 months, has the amount of time you spend on regulatory compliance increased, decreased or stayed the same?
| Increased | 59% |
| Remained the same | 40% |
| Decreased | 2% |
Security leadership requires both functional expertise and great business communication skills. Learn how to lead, measure, improve, teach, and more.
What is a CSO? | Part 2
Add business value by connecting multiple departments and multiple kinds of risk
5 secrets of building a great security team
Nurture dissent, formalize underserved functions, and more key strategies
Security metrics: Critical issues
Case studies, innovative ideas, finanical and operational metrics, effective presentation—the Web's best practical guide to security and operational risk metrics
What I learned when I left security
9 secrets to getting stuff done in a big company
7 essential business negotiation tactics
Security and business: financial basics
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Security Analytics Video
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- B2B Integration on Cloud: Real World Solutions and Technology Advances
- Protection for Every Enterprise: How BlackBerry 10 Security Works
- IDC - SAP Enterprise Mobility: Bringing a Cohesive Approach to a Complex Market
- Navigating the New Mobile World
- Harvard Business Review: How Mobility is Changing the World
- How Mobility is Transforming Industries
- Mobile Commerce: The Path to Customer Engagement
- Mandiant's APT1: Revisited
The Mandiant APT1 report made our industry stronger by encouraging -- if not forcing -- information sharing. By Nick Selby - Attacks from China: A survival guide
- #FFSec: Infosec pros who bring value to Twitter
More Salted Hash with Bill Brenner
