Analytics
10/24/2013
08:04 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

IBM Study: Security Officers Gaining a Strategic Voice, Transforming Technology And Business In Global Organizations

Three-fourths of security leaders have deployed cloud security services; mobile security most recently deployed technology

ARMONK, N.Y., Oct. 24, 2013 /PRNewswire/ -- A new IBM (NYSE: IBM) study of security leaders reveals that they are increasingly being called upon to address board-level security concerns and as a result are becoming a more strategic voice within their organizations.

(Logo: http://photos.prnewswire.com/prnh/20090416/IBMLOGO)

The findings reveal that a constantly evolving threat landscape, emerging technologies and budgetary restraints are requiring security leaders to play a more active role in communicating with C-suite leaders and with their boards, as the rise in security incidents impacts brand reputation and customer trust.

Additionally, cloud and mobile adoption continues to grow as a focus area for the majority of security leaders.

The 2013 IBM Chief Information Security Officer Assessment takes the pulse of security leaders from Fortune 100 and mid-sized businesses. Among the findings:

Technology Trends -- Moving beyond the Foundational: Mobile security is the number one "most recently deployed" initiative, with one-quarter of those surveyed deploying it in the past 12 months. According to the findings, while security leaders are looking to advance mobile security beyond technology and more about policy and strategy, less than 40% of organizations have deployed specific response policies for personally owned devices or an enterprise strategy for bring-your-own-device (BYOD).

Nearly 76% of security leaders interviewed have deployed some type of cloud security services -- the most popular being data monitoring and audit, along with federated identity and access management (both at 39%). While cloud and mobile continue to receive a lot of attention within many organizations, foundational technologies that security leaders are focusing on include identity and access management (51%), network intrusion prevention and vulnerability scanning (39%) and database security (32%).

Business practices -- Catching the Vision: The security leaders interviewed stress the need for strong business vision, strategy and policies, comprehensive risk management, and effective business relations to be impactful in their roles. Understanding the concerns of the C-suite is also critical as more seasoned security leaders meet regularly with their board and C-suite leaders.

The top trends that they discuss include identifying and assessing risks (59 percent), resolving budget issues and requests (49 percent) and new technology deployments (44 percent).

When asked what advice they would give to a new security leaders, respondents recommended a strong emphasis on vision, strategy and policies, comprehensive risk management and effective business relations.

"Building the trust of the C-suite and the board is critical to the success of a security officer," said Ken Kilby, Chief Information Security Officer, BB&T Corporation, one of the largest financial services holding companies in the United States. "Beyond internal relationships, developing relationships with law enforcement, industry partners and legislators is crucial in fostering greater public and private communication and will ultimately help to reduce the total attack surface and protect an organization's data."

Measurement -- Providing the Right Feedback: Security leaders continue to use metrics mainly to guide budgeting and to make the case for new technology investments. In some cases, they use measurements to help develop strategic priorities for their security organizations. In general, however, technical and business metrics are still focused on operational issues. For example, over 90% of respondents track the number of security incidents, lost or stolen records, data or devices, and audit and compliance status -- fundamental dimensions security leaders would be expected to track. Far fewer respondents are feeding business and security measures into their enterprise risk process even though security leaders say the impact of security on overall enterprise risk is their most important success factor.

"It's evident in this study that security leaders need to focus on finding the delicate balance between developing a strong, holistic security and risk management strategy, while implementing more advanced and strategic capabilities such as robust mobile security that includes policies for BYOD," said David Jarvis, co-author of the report and manager at the IBM Center for Applied Insights.

About the Assessment

The IBM Center for Applied Insights, in collaboration with IBM Security Systems and IBM Security Services, conducted in-depth interviews with senior leaders who have responsibility for information security in their organizations. The goal of the interviews was to identify specific organizational practices and behaviors that could strengthen the role and influence of other security leaders. To maintain continuity, interviewees were recruited from the pool of 2012 research participants -- 80% of those recruited were prior participants -- with an emphasis on more mature security leaders. Interviewees were from a broad range of industries and four countries. Access the full study, www.ibm.com/security

About IBM Security

IBM provides the expertise, skills, services and technology to help you reduce the cost and complexity of securing IT infrastructures for IBM clients. IBM solutions include planning and design through implementation, testing, monitoring and management of multi-vendor environments.

For more information on IBM, visit www.ibm.com/security or to join the conversation and follow @IBMSecurity on Twitter. Visit our Security Intelligence Blog at www.securityintelligence.com

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web