Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
10/19/2017
09:00 AM
Mike Convertino
Mike Convertino
Partner Perspectives
Connect Directly
LinkedIn
RSS
100%
0%

CISOs: Striving Toward Proactive Security Strategies

A new survey paints a compelling picture of the modern security executive, how they succeed, and how much power they wield.

Chief Information Security Officers are in a tough spot. Organizations are squeezed by cyber criminals, new compliance requirements, and bleeding-edge technologies that erode privacy and stability. The team that leads defense efforts is becoming a more and more vital player in the long-term survival of any organization that sells, uses, or produces information technology — that is to say, everyone. But what do we really know about CISOs and how they operate?

Many surveys talk about CISO salaries and job prospects, but we felt that the industry as a whole needed to fully understand what goes into the day-to-day job of a CISO. F5 and research firm Ponemon teamed to directly survey CISOs. Our goal: to draw as complete a picture as we could on the modern security executive. In the report, "The Evolving Role of CISOS and Their Importance to the Business," we focus on key areas like budgetary control, organizational influence, decision rationale, and strategic methodology. In other words, how do CISOs succeed, and how much power do they wield? We also delve into the background of CISOs and their experience, both in terms of technical capability and business savvy.

To cast a wide net, we interviewed senior level IT security professionals from 184 organizations in seven countries, tracking nearly 70 questions. We wanted a deep, unbiased look at the contemporary CISO. The results are eye-opening, and both encouraging and worrisome.

First, the discouraging news: security programs appear to be reactive: 60% of respondents say material data breaches and cybersecurity exploits are the primary drivers of change in security programs. A mere 22% of respondents say their organizations’ security function is integrated with other business functions. Perhaps most concerning, only 51% say their organization has an IT security strategy and, of those, only 43% say that the company strategy is reviewed, approved, and supported by C-level executives.

Now the is good news. A full 77% of respondents say their IT security operations are aligned with IT operations, although fewer respondents (60%) say they have achieved alignment of IT security operations with business objectives.

Furthermore, there are some promising trends in the day-to-day responsibilities CISOs hold. Most CISOs (67%) believe they should be responsible for setting security strategy, and the majority are influential in managing their companies’ cybersecurity risks, with 65% reporting to senior executives (meaning, no more than three steps below the CEO on the organization chart). Over half (61%) set the security mission and are responsible for informing the organization about new threats, technologies, practices, and compliance requirements (60%). In the event of a serious security incident, more than half (60%) have a direct channel to the CEO.

These findings indicate both the challenges and the progress CISOs are making in today’s complex environment. I invite you to reflect on and discuss these findings with your peers and in the comment section below. My hope is that we now have a foundation for more meaningful conversations with one another, and have a greater impact on our organizations. I also hope the broader discussions we are driving here at F5 Labs are providing CISOs and future CISOs the tools to tackle this challenge.

There's a lot there. You can read the full report here

Get the latest application threat intelligence from F5 Labs.

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.