I’ve had the privilege of working with IBM’s Security Systems and Services teams over the past two years looking at the evolution of security leadership and what security leaders, like the CISO, are going to need to look like in the future. We’ve also looked at leading practices in cybersecurity education and we’ve identified essential security practices for CIOs based on our experiences at IBM.
Have a strategic vision… ensure global consistency in policy… engage in lots of communication with business leaders… speak business value and understand risk… minimize the impact of security to the business… be on the bleeding edge of enterprise and consumer technology…
A set of challenges also emerged from the interviews we conducted. Although we targeted more mature security leaders, they are still struggling in three areas.
- How do I best manage a broad set of concerns from a diverse set of business stakeholders?
Security leaders that are engaged with the business have to deal with a number of security fears from the C-Suite. The CEO might be most worried about losing customer trust because of a breach, the CFO might worry about the financial impact of recovery, COOs might focus on the impact of operational downtime. Good security leaders are able to balance, manage and allay all of these concerns.
- How do I improve mobile security policy and management – not just deploy the latest technology?
It’s no surprise that mobile security is top of mind. It was identified as a top technology concern in last year’s Assessment and continues to be at the forefront. Most are enabling secure mobile deployments in their organizations, but fewer have achieved comprehensive policies or strategies for personally owned devices.
- How do I translate security metrics into the language of the business to help guide strategy?
Technical and business metrics need to be used for more than just budget discussions and technology prioritization, they need to be deeply integrated into the decision making process of the business. To get to that point, security metrics must be translated into things the business will understand, like financial impact.
To learn more and download the full report and other materials visit the IBM Center for Applied Insights and join us in an open discussion about the future for information security leadership.