Laggard to leader: What it takes to get there

What are the best ways for strategists, tacticians and followers to become IT security leaders with mature processes? More analysis from the Global Information Security Survey.

. What's this?

By

October 05, 2011CSO

How do organizations move from lagging in their IT security program to leading? They must put an effective strategy in place, consistently meet that strategy, and have good visibility into the security events in their infrastructure. Looks good on paper, but how do you get there? CISOs say it boils down to executive vision and support.

However, according to responses to this year's CSO/CIO/PwC Global Information Security Survey, security professionals are focused more on technologies and less on integrating security processes throughout the business.

For instance, only 48 percent report linking security, via organizational structure or policy, to privacy or regulatory compliance. And only 46 percent employ dedicated security personnel who support internal business departments.


[See Part 1 of the survey analysis: Are you an IT security leader—really?"]


Those are just two examples of the disconnect. Others include not aligning security spend with real-world business risk and not having healthy lines of communication with executive leadership. Part of the problem, security industry experts say, is of IT security's own making.

"Many security professionals do not behave as if they are a critical business function. Instead of discussing business risk, they discuss attack techniques and technologies," says Eric Cowperthwaite, CSO at Providence Health and Services.

That communication problem, says Daniel Kennedy, research director for information security and networking at the research firm TheInfoPro, is largely a by-product of an old story: Organizations promote highly technical personnel to what should really be a business management role.

"They figure, 'That's the person who managed the firewall, therefore let's make them the CISO,'" says Kennedy. "There has to be some consideration that there are people out there who are good communicators, good senior executives, and then there are people for whom that's not in line with their capabilities," he says.

"I speak with other companies all the time, and there are many CISOs with that title, but their real strategy is to make their firewalls run better, so they're always working at a low tactical level," says Providence Health's Cowperthwaite.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER