• United States



State of the CSO 2008: Powering Up

Jun 27, 20085 mins
CSO and CISOIT Leadership

Our exclusive 2008 State of the CSO survey shows growth on almost every front in the battle to engrain security and risk management into every business. We heard from senior leaders on everything from organizational charts and strategic priorities to daily duties. Let’s dive into the key findings:

1. More Power to You

Where security reports on the organizational chart is a good barometer of the profession’s standing. For the first time, the number of respondents who report directly to the CEO of president of their organization is equal to the number reporting to the technical function. That’s the first sign of expanding influence.

To whom do you directly report?

CIO or CTO22%30%
General Counsel/Legal4%2%


Certifications remain important, but the big story here is the encouraging increased number of security leaders who hold an MBA. In 2003, 14 percent of respondents could hang an MBA on their office wall. Today, that number has risen to more than a quarter of respondents.

Which of the following degrees and/or certifications do you hold? h3>
(Multiple responses possible.)
Military or law enforcement3%


Tenure is on the rise, offering further evidence that the security leadership position is becoming more stable and mature. And perhaps, just perhaps, that the “fall guy syndrome,” in which CSOs served as handy scapegoats, regardless of who accepted a particular business risk, is receding.

How long have you been in your current position?

(Numbers do not total 100% due to rounding.)
Less than one year8%
Between one year and two years13%
Between two and three years20%
Between three and five years21%
Between five and 10 years23%
More than 10 years16%


While I.T. remains a common background for survey respondents (in all likelihood indicating that the title CSO is still held by information-security-only leaders in a lot of companies), a wide variety of other experiences shape the security function.

What is your background?

Multiple responses possible.
Information systems58%
Business operations (sales, admin, etc.)24%
Physical security18%
Law enforcement16%

2. Changing World, Changing Job

Org charts aside, here’s direct and resounding indication that the corporate world has awakened to risk management.

In the past 12 months, has your organization’s leadership placed more, less or the same value on risk management?

More value62%
No change32%
Less value6%

And here’s one likely reason for risk management’s greater value: more laws. While it has been a quiet year (relatively) for new federal laws, companies still face an expanding list of state disclosure laws, new PCI application security requirements, and rolling deadlines such as the FACT Act’s Red Flag Rules.

In the past 12 months, has the amount of time you spend on regulatory compliance increased, decreased or stayed the same?

Remained the same40%

Organizational convergence of physical and IT security has been one attempt to provide clearer oversight into risk. Detractors of this idea are holding steady; negative responses totaled 44 percent this year, which is exactly the same result obtained in 2006.

Should information and physical security operate as a single combined department?

(Numbers do not total 100% due to rounding.)
In my industry, yes23%
Not in my industry35%

3. Strong Points and Weak Points

Management’s understanding of security is rated reasonably high; ratings for the general workforce suggest that employee regard for security remains (as always) the key area for improvement.

>The following mean scores show respondents’ collective agreement or disagreement with various statements, using a scale of 1 to 5 (5 meaning strongly agree):- Senior management has established a security policy and auditing process: 3.8

– Senior management views the security leader’s role as strategic and permanent: 3.7

– Security is viewed as essential to business, as opposed to an overhead cost: 3.6

– Security considerations are a routine part of your company’s business process: 3.6

– All managers understand their roles and responsibilities with regard to security: 3.1

– All employees receive training in all security policy topics: 3.6

– All employees are trained in the sanctions and consequences of a security breach: 3.4

– All employees consider security to be part of their everyday responsibilities: 3.1

4. Satisfaction and confidence

Last, Here are a few points of interest from a new set of questions in the survey.

Overall, CSOs love their jobs and confirm their extremely high confidence that risk management will gain further recognition as an important business discipline. That’s a great sign.

Relative to the those high marks, respondents are somewhat less content with the quality and relevance of the security products and services they are offered.

Dramatically lower is their regard for national security policy and for law enforcements ability to address electronic crime issues.

What conclusion might one draw from connecting these dots? For years we’ve been hearing (and repeating) the old saw about the vast majority of the United States’ critical infrastructure being owned and operated by private industry. This chestnut is usually rolled out in an attempt to goad the private sector into more enlightened and proactive security investment. But if these survey results are to be believed—and its a reasonable assumption that about 90 percent of respondents are in the private sector—the commercial world feels that it’s doing quite well at security and the problem lies in the public sector.

The following mean scores indicate respondents’ satisfaction, on a scale of 1 to 5 (5 being highly satisfied), with:

– Your job overall: 4.0

– Your organizations acceptance of/support for security: 3.7

– The quality and relevance of security standards and guidelines: 3.6

– The quality and relevance of products offered by security vendors: 3.4

– The quality and relevance of services offered by security vendors: 3.3

– National policy regarding security: 3.0

The following mean scores indicate respondents’ confidence, on a scale of 1 to 5 (5 being highly confident), in:

>- Continued growth of recognition of security as a business function: 4.0

– Short-term viability of the Internet as a business channel: 3.9

– Long-term viability of the Internet as a business channel: 3.9

– Your ability to secure your company’s assets, given current resources: 3.6

– Law enforcement’s capabilities to stop and prosecute electronic crime: 2.6