Those were some of the conclusions in a study of 138 security executives done by IBM and its Center for Applied Insights which also found that rather than just reactively responding to security incidents, the Chief Information Security Executives (CISOs) role is shifting more toward intelligent and holistic risk management -- from fire-fighting to anticipating and mitigating fires before they start.
"Overall, all security leaders today are under intense pressure, charged with protecting some of their firm's most valuable assets - money, customer data, intellectual property and brand. Nearly two-thirds of CISOs surveyed say their senior executives are paying more attention to security today than they were two years ago, with a series of high-profile hacking and data breaches convincing them of the key role that security has to play in the modern enterprise. More than half of respondents cited mobile security as a primary technology concern over the next two years," the study found.
"Nearly two-thirds of respondents expect information security spend to increase over the next two years and of those, 87% expect double-digit increases," IBM said.
Some other interesting findings from the "Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer Assessment" report:
• Nearly two-thirds of security leaders say their senior executives are paying more attention to security today than they were two years ago, due in large part to media attention. One of the chief attributes of a leading organization is having the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. In fact, 60% of the advanced organizations named security as a regular boardroom topic, compared to only 22% of the least advanced organizations, IBM said.
• Attention is shifting toward risk management. In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues. According to IBM, forward-thinking security organizations are more likely to establish a security steering committee to encourage systemic approaches to security issues that span legal, business operations, finance, and human resources. Fully 68% of advanced organizations had a risk committee, versus only 26% in the least advanced group. Use of data-driven decision making and measurement: Leading organizations are twice as likely to use metrics to monitor progress, the study showed (59% vs. 26%).
• Shared budgetary responsibility with the C-suite: The study showed that within most organizations, CIOs typically have control over the information security budget. However, among highly ranked organizations, investment authority lies with business leaders more often. In the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets. Lower ranking organizations often lacked a dedicated budget line item altogether, indicating a more tactical, fragmented approach to security. Fully 71% of advanced organizations had a dedicated security budget line item compared to 27% of the least mature group, IBM said.
Sign up for Computerworld eNewsletters.