CSOonline's exclusive 2009 State of the CSO research shows the importance of risk management continues to rise, though challenges remain All things considered, the state of the CSO is quite good these days. While the economy is in the tank, CSOs report that security’s stock is still rising.And perhaps that’s not a coincidence. The CEOs and CFOs of the world are more attuned to risk than ever, say respondents to our exclusive annual State of the CSO survey. (Even better than last year’s results, which were already very positive.)More organizations report having security processes in place. The CSO role itself is viewed as an ever-more strategic and permanent part of corporate leadership. As a result, CSOs report higher overall job satisfaction than last year.That’s not to say that everything is roses and chocolate. Security awareness among everyday employees remains challenged — just over a third of respondents say line-of-business employees consider security part of their responsibilities. (See seven practical suggestions for raising awareness.) And some other stats raise an interesting question: In this time of relative favor, is security laying the groundwork necessary to keep its funding and attention when the economy turns around? About half of the respondents say they use no financial methodology for measuring the value or contribution of security. Similarly, half say they use no formal enterprise risk management process that extends beyond traditional stovepipes.Here is a look at key findings from the survey. A Happy PlaceJob satisfaction among security leaders is up, and organizational leadership is more attuned to security issues than in recent years (which is saying something).Respondents who are very satisfied or somewhat satisfied with the following: 20092008Your job overall82%74%Your org’s support for security65%65%Quality of products offered by security vendors62%50%Quality of services offered by security vendors54%46%Quality and relevance of standards and guidelines (eg ISO)68%56% ***Respondents who agree or strongly agree that senior management views the security leader’s role as strategic and permanent: 200970%200864%200417% ***“In the past 12 months, has leadership placed more, less or the same value on risk management?” More value50%The same value46%Less value4% ***Big and LittleThe often-cited gap between security practices at bigger companies and smaller ones is wide in places, but, surprisingly, in one area reversed. Might the backwards area suggest that bigger companies can be overly reliant on policy and smaller ones more focused on operational decisions?Respondents who agree or strongly agree with the following statements:Senior management has established a security policy and auditing process Big87%Midmarket62% All managers in the organization understand their roles in regard to security Big39%Midmarket28% Security considerations are a routine part of your organization’s business processes Big63%Midmarket72% Note: “Big” respondents report $1B revenues or more. “Midmarket” respondents have revenues between $100M and $1B.*** Employee Awareness and Responsibility: A Tought Nut to CrackEmployees outside of the security department get more security training than they did in 2004, but respondents still aren’t wildly optimistic that those employees build security into their day-to-day decisions. (Anybody shocked?)Respondents who agree or strongly agree with the following statements: “All employees receive training in all security policy topics”59%“All employees are trained in the consequences of a public security breach”54%“All employees consider security a part of their daily responsibilities”38% ***Security Financials: The Numbers GameNo question about it: Financial methodologies are hard to apply to secruity expenses.However, very little is done – or spent – in the corporate world without measurement. While none of the following methodologies is perfect, some would argue that security jeopardizes its standing by failing to present a rigorous examination of its spending.Which of the following methods and calculations do you apply in the security budgeting process? Return on investment38%Total cost of ownership34%Annual loss expectancy17%Net present value11%Economic value added9%No formal financial methodology50% ***Does your organization use a formal enterprise risk management process or methodology that incorporates multiple types of risk? Yes46%No54% ***About the survey and respondents:Qualified respondents were invited by email to take the 2009 State of the CSO survey this spring. The survey instrument was completed online. The 256 respondents represented a variety of industries, the largest being:Govt, nonprofit and education 23%Financial services 20%High-tech, telecom and utilities 17%Healthcare 11%Manufacturing 9%Respondents report involvement in activities including:Information security 95%Business continuity 92%Security-related audit 90%Privacy 89%Intellectual property protection 84%Investigations 81%Fraud prevention 73%Assets/facilities security 72%Personnel security 60% Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe