With cybercriminals becoming more proficient and data breaches continuing to make headlines, companies are focusing on securing sensitive information. Organisations now need to prioritise security investments, with new research shedding light on the critical factors leading to better business outcomes related to IT security. One of the main differentiators for companies with the best IT security: having a chief information security officer (CISO). Despite being faced with a severe economic, companies continue to prioritise information security.
One distinguishing point is more organisations than ever before have a CISO. Forty-four percent of companies employed a CISO in 2009 compared to 29 percent in 2008, according to The Global State of Information Security Survey, 2010 conducted by PricewaterhouseCoopers. The New Zealand figures were lower, with 19 percent of respondents reporting they have a CISO.
Compare this with nearly a decade ago, when most security tasks would originate from an organisation’s operations group, as cited in an article in CTO Forum.
More recently, a growing emphasis on security has changed not only the role of the CISO, but also how they are viewed by the organisation’s corporate decision makers. Whereas CISOs were previously in charge of day-to-day security operations, today’s CISOs are strategists, partnering in a company’s growth plans.
Companies with a CISO are more successful
As the trend toward hiring a CISO continues to grow, the benefits of doing so have become more apparent. The IT Policy Compliance Group found companies with CISOs actually have better outcomes than those without a CISO.
The IT Policy Compliance Group also found companies experiencing the best outcomes manage their information security function through a CISO, who reports to a Chief Risk Officer, a Chief Compliance Officer, the senior leader of IT assurance, or the Chief Information Officer. These organisations focus on operational excellence in IT by implementing standardised procedures and controls based on best practice frameworks, with, for example ISO, CobiT and PCI, automating these procedures and controls, and measuring, assessing and reporting on risk on a regular basis. The result is lower audit spend, reduced data theft and higher customer retention. These organisations also have larger profits, higher revenues and higher levels of business productivity from IT.
CISOs reduce risk
A chief information security officer can help companies be more successful, but it is important to note that the most successful companies are those with a named CISO, not just a manager of information security that performs similar duties. Companies with a named CISO are 10 times more likely to experience the least loss or theft of customer data, the IT Policy Compliance Group found.
In contrast, organisations where information security is managed at lower levels within IT operations by systems and network administrators or by a manager, are four to eight times more likely to be among those with the highest rates of data loss and theft.
In addition, best performing organisations with CISOs manage business productivity and risks by using policies and targets for minimum acceptable downtime and maximum acceptable risks. They also measure, assess and report on risks daily, weekly and monthly.
CISOs reduce cost
Along with reductions in risk, the most successful companies with a named CISO experience less financial exposure from data loss and theft. Best practice organisations spend 0.4 percent of revenue on data loss exposure compared to companies with the worst practice, spending 9.6 percent.
Other studies reveal similar findings. Companies that experienced a data breach last year, but had a CISO in place, experienced an average cost of US$157 per compromised record versus $236 for companies without CISO leadership, according to the Ponemon Institute’s 2009 Cost of a Data Breach study.
The Ponemon Institute notes that this outcome is likely “due to the strategic role CISOs play in ensuring security and privacy measures are effectively implemented”.
In addition to lowering costs in the event of a data breach, the most successful companies with a CISO spend 50 percent less on regulatory compliance, the IT Policy Compliance Group found.
The average amount spent on audit by organisations with normal outcomes is $3.70 for every dollar spent on the information security and assurance function, according to the IT Policy Compliance Group. In contrast, the amount spent on audit by the best performing organisations is $1.30 for each dollar spent.
CISOs highlight the need for more than just technology
CISOs reduce risk and cost, but they also highlight the importance of viewing security as part of the business process, rather than just an IT problem.
For organisations plagued with high rates of data loss and theft, a common management approach to information security is that security is only a technology issue. However, companies with best-business outcomes manage information security at a higher level as a quality-controlled function, going beyond the technologies involved. Automation of policies, procedures and controls is an important part of the equation for those companies. Among the organisations with the best outcomes, an average of two-thirds (66 percent) of procedures and controls related to information security and assurance are fully automated. In contrast, the worst performing organisations automate less than one-third (33 percent) of procedures and technical controls.
Simply put, CISOs contribute to better business results by ensuring security measures are fully implemented, standardising and automating procedures, and by taking a strategic role within the organisation to make information security a part of the business process.
The author is managing director, IT Policy Compliance Group at Symantec.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.