State of the CSO: Security's Influence Grows; Will It Last?

CSOonline's exclusive 2009 State of the CSO research shows the importance of risk management continues to rise, though challenges remain

All things considered, the state of the CSO is quite good these days. While the economy is in the tank, CSOs report that security's stock is still rising.

And perhaps that's not a coincidence. The CEOs and CFOs of the world are more attuned to risk than ever, say respondents to our exclusive annual State of the CSO survey. (Even better than last year's results, which were already very positive.)

More organizations report having security processes in place. The CSO role itself is viewed as an ever-more strategic and permanent part of corporate leadership. As a result, CSOs report higher overall job satisfaction than last year.

That's not to say that everything is roses and chocolate. Security awareness among everyday employees remains challenged -- just over a third of respondents say line-of-business employees consider security part of their responsibilities. (See seven practical suggestions for raising awareness.)

And some other stats raise an interesting question: In this time of relative favor, is security laying the groundwork necessary to keep its funding and attention when the economy turns around? About half of the respondents say they use no financial methodology for measuring the value or contribution of security. Similarly, half say they use no formal enterprise risk management process that extends beyond traditional stovepipes.

Here is a look at key findings from the survey.

A Happy Place

Job satisfaction among security leaders is up, and organizational leadership is more attuned to security issues than in recent years (which is saying something).

Respondents who are very satisfied or somewhat satisfied with the following:

2009 2008
Your job overall 82% 74%
Your org's support for security 65% 65%
Quality of products offered by security vendors 62% 50%
Quality of services offered by security vendors 54% 46%
Quality and relevance of standards and guidelines (eg ISO) 68% 56%


Respondents who agree or strongly agree that senior management views the security leader's role as strategic and permanent:

2009 70%
2008 64%
2004 17%


"In the past 12 months, has leadership placed more, less or the same value on risk management?"

More value 50%
The same value 46%
Less value 4%


Big and Little

The often-cited gap between security practices at bigger companies and smaller ones is wide in places, but, surprisingly, in one area reversed. Might the backwards area suggest that bigger companies can be overly reliant on policy and smaller ones more focused on operational decisions?

Respondents who agree or strongly agree with the following statements:

Senior management has established a security policy and auditing process

Big 87%
Midmarket 62%

All managers in the organization understand their roles in regard to security

Big 39%
Midmarket 28%

Security considerations are a routine part of your organization's business processes

Big 63%
Midmarket 72%

Note: "Big" respondents report $1B revenues or more. "Midmarket" respondents have revenues between $100M and $1B.


Employee Awareness and Responsibility: A Tought Nut to Crack

Employees outside of the security department get more security training than they did in 2004, but respondents still aren't wildly optimistic that those employees build security into their day-to-day decisions. (Anybody shocked?)

Respondents who agree or strongly agree with the following statements:

"All employees receive training in all security policy topics" 59%
"All employees are trained in the consequences of a public security breach" 54%
"All employees consider security a part of their daily responsibilities" 38%


Security Financials: The Numbers Game

No question about it: Financial methodologies are hard to apply to secruity expenses.

However, very little is done - or spent - in the corporate world without measurement. While none of the following methodologies is perfect, some would argue that security jeopardizes its standing by failing to present a rigorous examination of its spending.

Which of the following methods and calculations do you apply in the security budgeting process?

Return on investment 38%
Total cost of ownership 34%
Annual loss expectancy 17%
Net present value 11%
Economic value added 9%
No formal financial methodology 50%


Does your organization use a formal enterprise risk management process or methodology that incorporates multiple types of risk?

Yes 46%
No 54%


About the survey and respondents:

Qualified respondents were invited by email to take the 2009 State of the CSO survey this spring. The survey instrument was completed online. The 256 respondents represented a variety of industries, the largest being:

Govt, nonprofit and education 23%

Financial services 20%

High-tech, telecom and utilities 17%

Healthcare 11%

Manufacturing 9%

Respondents report involvement in activities including:

Information security 95%

Business continuity 92%

Security-related audit 90%

Privacy 89%

Intellectual property protection 84%

Investigations 81%

Fraud prevention 73%

Assets/facilities security 72%

Personnel security 60%

Copyright © 2009 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.