28 March 2008
A definite chasm exists between chief information security officers' (CISOs') priorities and their responsibilities, according to a new survey from Forrester.
The research firm believes that even though CISOs understand that their priorities need to align with business objectives, many of them remain too focused on technology and operations. Forrester believes that CISOs need to do more, incorporating business objectives into their efforts to manage information risk, achieve greater operational efficiencies, and bolster security awareness and training.
In a recent Forrester survey, information protection and information availability initiatives topped the list of CISO concerns for 2008. For many CISOs, these business priorities have bundled as part of their core responsibilities and are being brought to the top of their agendas by executive management.
Ultimately though, said report author Khalid Kark, CISOs have the right business priorities, with the wrong operational focus. He explained: "CISOs are getting their priorities aligned with the business, but many struggle to look at these problems from a business perspective. A majority of CISOs are still responsible for technical and infrastructure security and rely heavily on technology to solve all their issues. They
face challenges coordinating their efforts across business areas and find it hard to balance compliance and security responsibilities.
"A vast majority (81 per cent) of security professionals identified data protection as important or very important for their organisation in the next 12 months. For many CISOs, this means encrypting sensitive data or deploying information leak prevention technologies. They still ignore or de-emphasise the process and people elements of data security such as security awareness, monitoring, and auditing processes."
Further to this, CISOs were having business continuity issues. In the Forrester survey, approximately 27 per cent of enterprises indicated that they do not have a recovery site in the event of datacentre site failure, and 23 per cent of enterprises never tested their disaster recovery plans.
Kark will reveal more details of the survey at the upcoming Forrester Security Forum, but was able to reveal that he recommends CISOs to target 2008 efforts on delivering demonstrable value, to develop more comprehensive competencies and to brace for requests to tighten belts.
He said, "Many CISOs point to a lack of skilled people as one of their major issues. As security threats become more sophisticated and the threat vectors become diverse, security organisations need to have competencies that are deep and wide. It's not enough to have deep understanding of encryption technologies; you also need to understand the basics of human psychology to predict how people would try [to circumvent] this control or how they could be tricked into giving away their passwords. One large global organisation challenges its IT staff to reduce IT operations expenses by 30 per cent every year and use this amount for new tools and technologies. Expect to get similar targets for the information security group, especially if the economy continues to slow."
