According to 82 percent of the security leaders who participated in the 2014 IBM Chief Information Security Officer Assessment, the very definition of security has changed over the past three years. And 63 percent of these leaders now worry that the sophistication of external threats is rising faster than their ability to combat them.
But this study also gives clues to a new security game plan: ironically, becoming more secure is tied to being more open. Security leaders are realizing that one of the best ways to thwart the bad guys is by collaborating more frequently within and among organizations.
Internal collaboration – the S-suite
To build more comprehensive defenses, security leaders are integrating strategies across the organization – 62 percent are developing their security strategies in conjunction with other functions, such as IT, Risk and Operations. CISOs are also collaborating across the C-suite. Besides the CIO and CEO, security leaders now work regularly with the CFO, CTO and COO. And they’re not just reporting on security issues – they’re actively engaging their peers’ support in better identifying and assessing risk, the most common topic in sessions with C-suite leadership.
Because security leaders are partnering so broadly across the C-suite, there’s no longer a “standard” reporting structure for CISOs. In the past, security was typically a function under IT – it continues to be for many organizations. But now, new reporting configurations are appearing that mirror these new working relationships.
In our assessment, CISOs now report to the CEO more often than the CIO. A fair number of CISOs work for CFOs, CTOs and COOs. And in a few extremely non-traditional cases, CIOs even reported to CISOs. We also noticed enterprises experimenting with combined roles, such as merging CISO and Chief Privacy Officer positions into one Chief Information Privacy Officer role.
Together, these shifts suggest that security is increasingly a team sport, often tackled together by a group of high level executives, turning the C-suite into an S-suite as well.
External collaboration – an ecosystem approach
In an intertwined business world, increased connection brings increased potential risk. In our study, 62 percent of security leaders strongly agreed that the risk level to their organization was increasing due to the number of interactions and connections with customers, suppliers and partners. Security leaders are beginning to collaborate more externally to better manage this risk – exchanging threat information with third parties such as industry peers, government agencies, suppliers and security vendors. In general, security leaders that receive and share information with external sources tend to be highly satisfied with the exchange. This increased external collaboration is evident in other ways as well. For example, although less than half are currently members of a formal industry-related security organization, the vast majority (86 percent) of security leaders believe participation will be necessary within the next three to five years.
The fast-changing security landscape can often feel like new territory – even to those who are considered security experts. Collaborating across ecosystems can provide greater awareness, enhance education, lead to better effectiveness and improve the overall state of preparedness. While threats are unlikely to diminish in volume or sophistication, integrated efforts can help better protect an ecosystem.
To learn more: