CSOonline's exclusive 2009 State of the CSO research shows the importance of risk management continues to rise, though challenges remain All things considered, the state of the CSO is quite good these days. While the economy is in the tank, CSOs report that security’s stock is still rising.And perhaps that’s not a coincidence. The CEOs and CFOs of the world are more attuned to risk than ever, say respondents to our exclusive annual State of the CSO survey. (Even better than last year’s results, which were already very positive.)More organizations report having security processes in place. The CSO role itself is viewed as an ever-more strategic and permanent part of corporate leadership. As a result, CSOs report higher overall job satisfaction than last year.That’s not to say that everything is roses and chocolate. Security awareness among everyday employees remains challenged — just over a third of respondents say line-of-business employees consider security part of their responsibilities. (See seven practical suggestions for raising awareness.) And some other stats raise an interesting question: In this time of relative favor, is security laying the groundwork necessary to keep its funding and attention when the economy turns around? About half of the respondents say they use no financial methodology for measuring the value or contribution of security. Similarly, half say they use no formal enterprise risk management process that extends beyond traditional stovepipes.Here is a look at key findings from the survey. A Happy PlaceJob satisfaction among security leaders is up, and organizational leadership is more attuned to security issues than in recent years (which is saying something).Respondents who are very satisfied or somewhat satisfied with the following: 20092008Your job overall82%74%Your org’s support for security65%65%Quality of products offered by security vendors62%50%Quality of services offered by security vendors54%46%Quality and relevance of standards and guidelines (eg ISO)68%56% ***Respondents who agree or strongly agree that senior management views the security leader’s role as strategic and permanent: 200970%200864%200417% ***“In the past 12 months, has leadership placed more, less or the same value on risk management?” More value50%The same value46%Less value4% ***Big and LittleThe often-cited gap between security practices at bigger companies and smaller ones is wide in places, but, surprisingly, in one area reversed. Might the backwards area suggest that bigger companies can be overly reliant on policy and smaller ones more focused on operational decisions?Respondents who agree or strongly agree with the following statements:Senior management has established a security policy and auditing process Big87%Midmarket62% All managers in the organization understand their roles in regard to security Big39%Midmarket28% Security considerations are a routine part of your organization’s business processes Big63%Midmarket72% Note: “Big” respondents report $1B revenues or more. “Midmarket” respondents have revenues between $100M and $1B.*** Employee Awareness and Responsibility: A Tought Nut to CrackEmployees outside of the security department get more security training than they did in 2004, but respondents still aren’t wildly optimistic that those employees build security into their day-to-day decisions. (Anybody shocked?)Respondents who agree or strongly agree with the following statements: “All employees receive training in all security policy topics”59%“All employees are trained in the consequences of a public security breach”54%“All employees consider security a part of their daily responsibilities”38% ***Security Financials: The Numbers GameNo question about it: Financial methodologies are hard to apply to secruity expenses.However, very little is done – or spent – in the corporate world without measurement. While none of the following methodologies is perfect, some would argue that security jeopardizes its standing by failing to present a rigorous examination of its spending.Which of the following methods and calculations do you apply in the security budgeting process? Return on investment38%Total cost of ownership34%Annual loss expectancy17%Net present value11%Economic value added9%No formal financial methodology50% ***Does your organization use a formal enterprise risk management process or methodology that incorporates multiple types of risk? Yes46%No54% ***About the survey and respondents:Qualified respondents were invited by email to take the 2009 State of the CSO survey this spring. The survey instrument was completed online. The 256 respondents represented a variety of industries, the largest being:Govt, nonprofit and education 23%Financial services 20%High-tech, telecom and utilities 17%Healthcare 11%Manufacturing 9%Respondents report involvement in activities including:Information security 95%Business continuity 92%Security-related audit 90%Privacy 89%Intellectual property protection 84%Investigations 81%Fraud prevention 73%Assets/facilities security 72%Personnel security 60% Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe