For IT security teams at large organizations it can sometimes seem as if today’s challenges threaten to spiral out of control. Targeted attacks are increasing in number and sophistication, many of them the handiwork of organized cyber-criminals, whose overarching intent is to steal confidential information. At the same time, IT infrastructures have become so large and complex that it is difficult to control deviations from technical standards while a growing number of regulatory requirements place additional demands on already stretched resources.
Perhaps it’s not surprising, therefore, that, despite the downturn in the economy, more and more companies are appointing a Chief Information Security Officer (CISO) to help manage these challenges. In fact, according to a recent survey by PriceWaterhouseCooopers, 44% of companies employed a CISO in 2009 versus just 29% in 2008.1
So how effective are CISOs at securing sensitive corporate information, reducing overall IT risk, and ensuring compliance? Continue reading to learn what new research has to say about companies that hire a CISO to mitigate security risks.
Recently, the IT Policy Compliance Group completed a year-long study2
into how 809 organizations manage information security. The results, released in February, shed light in particular on the management practices of organizations with the best outcomes. These were the organizations that spent the least amount of money on audits, had the lowest financial exposure from data loss, experienced the least amount of business downtime from IT failures and disruptions, and had the highest customer retention rates.
According to the study, organizations with the best outcomes share several characteristics. To begin with, information security is typically managed by a CISO or “a senior manager of IT assurance,” while day-to-day operations are managed by IT security operations specialists reporting to the CISO. In fact, the IT Policy Compliance Group notes that organizations with an explicitly “named” CISO (rather than a manager of information security who performs similar duties) are 10 times more likely to experience the least loss or theft of customer data.
Secondly, the CISOs at these organizations are more likely to function as strategists, playing a key role in the company’s growth plans. For many of these CISOs, better top-line results even feature in their job description. The study quotes one CISO as saying, “Part of my job is to leverage the technology to boost profits and reduce costs. I’m always showing (the business-lines) how we can (safely) use technology to make more (money).”
Not surprisingly, the IT Policy Compliance Group notes that, for organizations with the best outcomes, reducing IT and compliance risks is viewed as a business objective, rather than an IT “problem.” As a result, CISOs at these organizations manage business productivity and risks by using policies and targets for minimum acceptable downtime and maximum acceptable risks. Policies, procedures, and controls are nearly fully automated, while measurement and reporting on IT risk and compliance occurs daily, weekly, and monthly.3
As can be expected, it’s a very different story for organizations experiencing average or worse industry outcomes for managing information security. The IT Policy Compliance Group notes that, for many of these organizations, policy compliance is still handled manually, via checklists, spreadsheets, and paper-based questionnaires, leading to higher costs and lack of visibility into overall policy enforcement and IT risks.
So how do the winning practices of the best performing organizations impact the bottom line? Through significant cost savings. These savings come not only from automating formerly manual processes but also from having to rely less on external audit services. The IT Policy Compliance Group findings show that the average amount spent on audit by organizations with normal outcomes is $3.70 for every dollar spent on the information security and assurance function.
“In contrast, the amount spent on audit by the best performing organizations is $1.30 for each dollar spent on information security and assurance. The difference — $2.40 in audit expense reductions for each dollar spent on information security — is a very attractive return.”
When it comes to managing information security, organizations with the best outcomes share several characteristics, according to the latest research from the IT Policy Compliance Group. These organizations have a CISO in charge of security who acts as a strategist; they automate their policies, procedures, and controls as much as possible; they automate measuring and reporting, with reporting done regularly; and, as a result, they spend significantly less on audits each year.
While there are many solutions available help achieve these goals, Symantec’s Control Compliance Suite 10.0 is the only holistic, fully automated solution designed to manage all aspects of IT risk and compliance. It offers out-of-the-box policy content on multiple mandates, automated assessment of technical and procedural controls, Web-based dynamic dashboard reporting, and deep integration with other Symantec security solutions.
Perhaps best of all, Control Compliance Suite 10.0 enables organizations to demonstrate compliance with multiple industry regulations at lower levels of cost and complexity. 1
The Global State of Information Security Survey, 2010, PriceWaterhouseCoopers
Best Practices for Managing Information Security, February 2010, IT Policy Compliance Group
The study found that the following procedures are unique to the best performing organizations:
- Evidence about technical controls is gathered.
- Gaps in procedures are remediated.
- Technical controls are tested.
- Unauthorized access to IT assets is detected or prevented.
- An inventory of IT assets is maintained.
- Technical controls are mapped to policies, regulatory mandates, and legal statutes.
- Penetration testing of IT assets is conducted.
- Vulnerabilities are patched and documented.