As industry watchers, analysts identify and understand trends. And for six years at Forrester Research, we have been talking about the shift from IT security to information risk management (IRM).
The market has embraced the IRM concept and adopted the terminology to describe a movement from the tactical and technical to the strategic- and business value-oriented.
But how far have security managers progressed with the transition? Measuring such progress is precisely what Forrester set out to do in our 2007 security survey of more than 2,000 North American and European firms.
Chief information security officers (CISOs) now understand that their priorities need to align with business objectives. And topping the list of priorities is protection of the organisation’s information assets.
As many as 81 per cent of firms cite protection of customer data as their most important business objective.
CISOs rank business continuity and disaster recovery second, with protection of corporate intellectual property and other sensitive internal data third.
Despite talk about compliance as a driver for security purchases, it ranks only fourth on the list of priorities.
Such findings correspond with Forrester’s analysis of security leaders’ top issues for the next 12 months.
Data security and mobile security rank first, business continuity is placed second and regulatory compliance comes seventh.
Vulnerability and threat management the mainstay of IT security that centres on stopping the bad guys was also towards the bottom of the list. Security teams are instead trying to focus more on what matters to business.
And business executives realise security matters to them.
Of course, business awareness has also been raised by a never-ending stream of breach-instigated stories and lawsuits.
Almost two-thirds of IT security managers now have some degree of reporting, direct or dotted line, outside of IT.
Finance is the key department, but many security chiefs report to legal, human resources or an enterprise risk group.
Some CISOs even report to the executive office, with 20 per cent of European companies requiring direct reporting twice the level of North American companies.
But all is not well. A recurring concern we hear from CISOs is that they are prevented from achieving goals because of a lack of resources.
Security chiefs are constantly thwarted by a lack of budget, shortage of people with the right skills, too many items on their plate, and a lack of influence with executives.
Such issues arise because security teams still hold responsibility for nuts-and-bolts issues, including infrastructure security, identity management and threat management. And managing the basics creates a self-sustaining barrier to success.
CISOs need to gain influence and the key is closer alignment with the business and an appreciation of executives’ concerns.