The secrets of top performing information security officers
A new study based on two years of work by IANS Research looks at the work of chief information security officers (CISOs) and their role in enterprises.
The report identifies concrete actions CISOs should consider taking to progress their programs from where they are today to the next level.
Among the findings of the CISO Impact report are that high-performing CISOs know the value of engaging to drive change. In the data three out of four of high performers embrace this approach, compared to one in 20 of the low performers.
All the highest performers have followed the route of building alliances for a risk-based approach to information security, an approach where business leaders own the risk. 84 percent of high performing CISOs build a 'cyber cadre' -- a unit that can act and speak as one, whether interacting with leadership, middle management, or individuals. Yet a mere one in 10 cyber teams have proactive stakeholder engagement programs in place, and 88 percent of information security teams have no formal, ongoing data classification practices.
Who the CISO reports to makes a difference too. The majority (95 percent) of low performing CISOs report to the technology part of the business, but more than 60 percent of the highest performers report to risk and business roles.
It's financial firms that lead the way on CISO Impact best practices -- with healthcare, energy, technology and services lagging significantly behind.
"The connected world is a dangerous place, and because of this, CISOs and their teams must lead their organizations to adopt safe business practices," says Stan Dolberg, chief research officer at IANS Research. "However, the challenge remains that many CISOs are leading from a position of little authority or influence. The CISO Impact diagnostic provides specific ways for CISOs to assert information security leadership skills that are commonly found in organizations one step ahead on the maturity curve. Our goal is to inform, contextualize and prioritize where to invest skills, practices, and technologies. Armed with this strong guidance, CISOs can chart their own paths to leadership."
You can find out more in the full report on the IANS website and there will be a presentation on the findings at next week's RSA conference. There's a summary of the findings in infographic form below.