State of the CSO 2008: Powering Up
Our exclusive 2008 State of the CSO survey shows growth on almost every front in the battle to engrain security and risk management into every business.
By Derek Slater
June 27, 2008 — Our exclusive 2008 State of the CSO survey shows growth on almost every front in the battle to engrain security and risk management into every business. We heard from senior leaders on everything from organizational charts and strategic priorities to daily duties. Let's dive into the key findings:
1. More Power to You
Where security reports on the organizational chart is a good barometer of the profession's standing. For the first time, the number of respondents who report directly to the CEO of president of their organization is equal to the number reporting to the technical function. That's the first sign of expanding influence.
To whom do you directly report?
|CIO or CTO||22%||30%|
Certifications remain important, but the big story here is the encouraging increased number of security leaders who hold an MBA. In 2003, 14 percent of respondents could hang an MBA on their office wall. Today, that number has risen to more than a quarter of respondents.
Which of the following degrees and/or certifications do you hold? h3>
|(Multiple responses possible.)|
|Military or law enforcement||3%|
Tenure is on the rise, offering further evidence that the security leadership position is becoming more stable and mature. And perhaps, just perhaps, that the "fall guy syndrome," in which CSOs served as handy scapegoats, regardless of who accepted a particular business risk, is receding.
How long have you been in your current position?
|(Numbers do not total 100% due to rounding.)|
|Less than one year||8%|
|Between one year and two years||13%|
|Between two and three years||20%|
|Between three and five years||21%|
|Between five and 10 years||23%|
|More than 10 years||16%|
While I.T. remains a common background for survey respondents (in all likelihood indicating that the title CSO is still held by information-security-only leaders in a lot of companies), a wide variety of other experiences shape the security function.
What is your background?
|Multiple responses possible.|
|Business operations (sales, admin, etc.)||24%|
2. Changing World, Changing Job
Org charts aside, here's direct and resounding indication that the corporate world has awakened to risk management.
In the past 12 months, has your organization's leadership placed more, less or the same value on risk management?
And here's one likely reason for risk management's greater value: more laws. While it has been a quiet year (relatively) for new federal laws, companies still face an expanding list of state disclosure laws, new PCI application security requirements, and rolling deadlines such as the FACT Act's Red Flag Rules.
In the past 12 months, has the amount of time you spend on regulatory compliance increased, decreased or stayed the same?
|Remained the same||40%|