• United States



State of the CSO: Security’s Influence Grows; Will It Last?

Jun 09, 20094 mins
Risk ManagementROI and MetricsSecurity

CSOonline's exclusive 2009 State of the CSO research shows the importance of risk management continues to rise, though challenges remain

All things considered, the state of the CSO is quite good these days. While the economy is in the tank, CSOs report that security’s stock is still rising.

And perhaps that’s not a coincidence. The CEOs and CFOs of the world are more attuned to risk than ever, say respondents to our exclusive annual State of the CSO survey. (Even better than last year’s results, which were already very positive.)

More organizations report having security processes in place. The CSO role itself is viewed as an ever-more strategic and permanent part of corporate leadership. As a result, CSOs report higher overall job satisfaction than last year.

That’s not to say that everything is roses and chocolate. Security awareness among everyday employees remains challenged — just over a third of respondents say line-of-business employees consider security part of their responsibilities. (See seven practical suggestions for raising awareness.)

And some other stats raise an interesting question: In this time of relative favor, is security laying the groundwork necessary to keep its funding and attention when the economy turns around? About half of the respondents say they use no financial methodology for measuring the value or contribution of security. Similarly, half say they use no formal enterprise risk management process that extends beyond traditional stovepipes.

Here is a look at key findings from the survey.

A Happy Place

Job satisfaction among security leaders is up, and organizational leadership is more attuned to security issues than in recent years (which is saying something).

Respondents who are very satisfied or somewhat satisfied with the following:

Your job overall82%74%
Your org’s support for security65%65%
Quality of products offered by security vendors62%50%
Quality of services offered by security vendors54%46%
Quality and relevance of standards and guidelines (eg ISO)68%56%


Respondents who agree or strongly agree that senior management views the security leader’s role as strategic and permanent:



“In the past 12 months, has leadership placed more, less or the same value on risk management?”

More value50%
The same value46%
Less value4%


Big and Little

The often-cited gap between security practices at bigger companies and smaller ones is wide in places, but, surprisingly, in one area reversed. Might the backwards area suggest that bigger companies can be overly reliant on policy and smaller ones more focused on operational decisions?

Respondents who agree or strongly agree with the following statements:

Senior management has established a security policy and auditing process


All managers in the organization understand their roles in regard to security


Security considerations are a routine part of your organization’s business processes


Note: “Big” respondents report $1B revenues or more. “Midmarket” respondents have revenues between $100M and $1B.


Employee Awareness and Responsibility: A Tought Nut to Crack

Employees outside of the security department get more security training than they did in 2004, but respondents still aren’t wildly optimistic that those employees build security into their day-to-day decisions. (Anybody shocked?)

Respondents who agree or strongly agree with the following statements:

“All employees receive training in all security policy topics”59%
“All employees are trained in the consequences of a public security breach”54%
“All employees consider security a part of their daily responsibilities”38%


Security Financials: The Numbers Game

No question about it: Financial methodologies are hard to apply to secruity expenses.

However, very little is done – or spent – in the corporate world without measurement. While none of the following methodologies is perfect, some would argue that security jeopardizes its standing by failing to present a rigorous examination of its spending.

Which of the following methods and calculations do you apply in the security budgeting process?

Return on investment38%
Total cost of ownership34%
Annual loss expectancy17%
Net present value11%
Economic value added9%
No formal financial methodology50%


Does your organization use a formal enterprise risk management process or methodology that incorporates multiple types of risk?



About the survey and respondents:

Qualified respondents were invited by email to take the 2009 State of the CSO survey this spring. The survey instrument was completed online. The 256 respondents represented a variety of industries, the largest being:

Govt, nonprofit and education 23%

Financial services 20%

High-tech, telecom and utilities 17%

Healthcare 11%

Manufacturing 9%

Respondents report involvement in activities including:

Information security 95%

Business continuity 92%

Security-related audit 90%

Privacy 89%

Intellectual property protection 84%

Investigations 81%

Fraud prevention 73%

Assets/facilities security 72%

Personnel security 60%