Sowing the Seeds of Strategic Security

ITs clear from the data that respondents spend most of their time in reactive mode: responding to incidents, deploying firewalls, and dealing with everyday nuisances like spam and spyware. Ironically,the most common proactive step respondents take is to develop business continuity and disaster recovery plans. So even their proactive steps are investments in reactive measures.

Having said that, a few numbers did pop out that suggest that the foundation is being laid for a time when information security may become more strategic. This year more companies employed security executives and focused on integration between physical and information than in the two previous years.

Security has gotten more visibility since I started watching this sector11 years ago, no doubt, Lobel says. Most encouraging is the combinationof physical and information controls. All business eventually will have an e-business component, and as business evolves, security has to evolve with it and include physical and information security in equal proportions. Some of the data is starting to show that evolution, but were clearly not there yet.

Securitys rising profile is most encouraging when you cross-reference the governance numbers with effectiveness. Those companies where the function resides near the top have a far better security posture than the average respondent. Security is more strategic at those companies that have elevated the role. For example, only 37 percent of respondents said they have an overall security strategy. At companies with CSOs, that number leaps to 62 percent. Likewise, 80 percent of companies with CSOs also employed a CISO or equivalent, compared with about 20 percent overall.

Companies with an executive security function also reported that their spending and policies are more aligned with the business and that a higher percentage of theiremployees comply with internal information security policies. Companies witha security chief also measured and reviewed information security policiesmore than those without a security executive, and they were far more likelyto prioritize information assets by risk level.

Resources are dialed up at companies with a security executive too. They averaged more full-time employees at their companies and higher budgets. They were almost twice as likely to have a security budget separate from the IT budget and, while they were equally likely to get additional monies for security from the IT department, companies with executive infosec leaders reported getting more money more often from other lines of business, such as legal, risk, and compliance and regulatorygroups.

Companies that havent elevated the role out number those that have. But if companies that have elevated information security tend to act more strategically (and more companies are doing that), then it follows that information security is getting more strategic. Its early on in the trend, but its a positive.