CISOs have right objectives but wrong focus

Too many heads of infosecurity too focused on technology and operations rather than on what they can do for the business

A definite chasm exists between chief information security officers’ (CISOs’) priorities and their responsibilities according to a new survey from Forrester.

The research firm believes that the even though CISOs understand that their priorities need to align with business objectives, many of them remain too focused on technology and operations. Forrester suggests that CISOs need to do more, incorporating business objectives into their efforts to manage information risk, achieve greater operational efficiencies, and bolster security awareness and training.

In a recent Forrester survey, information protection and information availability initiatives topped the list of CISO concerns for 2008. For many CISOs, these business priorities have been bundled as part of their core responsibilities and are being brought to the top of their agendas by executive management.

Ultimately though, said report author Khalid Kark, CISOs have the right business priorities, with the wrong operational focus. He explained, “CISOs are getting their priorities aligned with the business, but many struggle to look at these problems from a business perspective. A majority of CISOs are still responsible for technical and infrastructure security and rely heavily on technology to solve all their issues. They face challenges coordinating their efforts across business areas and find it hard to balance compliance and security responsibilities.

“A vast majority (81%) of security professionals identified data protection as important or very important for their organisation in the next 12 months. For many CISOs, this means encrypting sensitive data or deploying information leak prevention technologies. They still ignore or de-emphasise the process and people elements of data security such as security awareness, monitoring, and auditing processes.”

Further to this, CISOs were having business continuity issues. In the Forrester survey, approximately 27% of enterprises indicated that they don’t have a recovery site in the event of datacentre site failure, and 23% of enterprises never tested their disaster recovery plans.

Kark will reveal more details of the survey at the upcoming Forrester Security Forum  but was able to recommend CISOs to target 2008 efforts on delivering demonstrable value, to develop more comprehensive competencies and to brace for requests to tighten belts.


He said, “Many CISOs point to a lack of skilled people as one of their major issues. As security threats become more sophisticated and the threat vectors become diverse, security organisations need to have competencies that are deep and wide. It’s not enough to have deep understanding of encryption technologies; you also need to understand the basics of human psychology to predict how people would try [to circumvent] this control or how they could be tricked into giving away their passwords.


“One large global organisation challenges its IT staff to reduce IT operations expenses by 30% every year and use this amount for new tools and technologies. Expect to get similar targets for the information security group, especially if the economy continues to slow.”

Read more on Managing IT and business issues