A definite chasm exists between chief information
security officers’ (CISOs’) priorities and their responsibilities
according to a new survey from Forrester.
The research firm believes that the even though
CISOs understand that their priorities need to align with business
objectives, many of them remain too focused on technology and
operations. Forrester suggests that CISOs need to do more,
incorporating business objectives into their efforts to manage
information risk, achieve greater operational efficiencies, and
bolster security awareness and training.
In a recent Forrester survey, information protection and
information availability initiatives topped the list of CISO
concerns for 2008. For many CISOs, these business priorities have
been bundled as part of their core responsibilities and are being
brought to the top of their agendas by executive management.
Ultimately though, said report author Khalid Kark, CISOs have
the right business priorities, with the wrong operational focus. He
explained, “CISOs are getting their priorities aligned with the
business, but many struggle to look at these problems from a
business perspective. A majority of CISOs are still responsible for
technical and infrastructure security and rely heavily on
technology to solve all their issues. They face challenges
coordinating their efforts across business areas and find it hard
to
balance compliance and security responsibilities.
“A vast majority (81%) of security professionals identified data
protection as important or very important for their organisation in
the next 12 months. For many CISOs, this means encrypting sensitive
data or deploying information leak prevention technologies. They
still ignore or de-emphasise the process and people elements of
data security such as security awareness, monitoring, and auditing
processes.”
Further to this, CISOs were having business continuity issues.
In the Forrester survey, approximately 27% of enterprises indicated
that they don’t have a recovery site in the event of datacentre
site failure, and 23% of enterprises never tested their disaster
recovery plans.
Kark will reveal more details of the survey at the
upcoming Forrester
Security Forum but was able to recommend CISOs to target 2008
efforts on delivering demonstrable value, to develop more
comprehensive competencies and to brace for requests to tighten
belts.
He said, “Many CISOs point to a lack of skilled people as one of
their major issues. As security threats become more sophisticated
and the threat vectors become diverse, security organisations need
to have competencies that are deep and wide. It’s not enough to
have deep understanding of encryption technologies; you also need
to understand the basics of human psychology to predict how people
would try [to circumvent] this control or how they could be tricked
into giving away their passwords.
“One large global organisation challenges its IT staff to reduce
IT operations expenses by 30% every year and use this amount for
new tools and technologies. Expect to get similar targets for the
information security group, especially if the economy continues to
slow.”