CISOs are only part of the plan

By on
CISOs are only part of the plan

Can CISOs and CSOs make a difference in the companies for which they work? Can they shape a successful IT security program that promotes a flourishing, trusted and respected business? And, in the end, does it really matter if a company has a lead professional in place to oversee and usher in IT security practices, or can a company do without yet still maintain a strong IT security posture that begets consumer and investor confidence?

These and other questions were just some that were answered in a recent study, Do CISOs Add Value?, conducted by Jon Oltsik of the Enterprise Strategy Group. Comparing organizations with and without CISOs, the study surveyed 227 North America-based security professionals from organizations with more than 1,000 employees.

Although some of the findings were not unexpected, many were a bit disheartening. For example, only 27 percent of companies with CISOs and eight percent without them believe currently implemented infosec technologies completely enforce confidential data security policies. Further, a meager 20 percent of organizations with CISOs and 14 percent without rate their security policies and processes as excellent in protecting confidential data.

Despite such low stats, 81 percent of all the pros surveyed say that enforcing confidential data security policies is the top priority. Still other priorities include communication and training employees on confidential data security policies, defining and updating these policies, and implementing access controls. But goals set and goals met are two different animals.

The research does seem to indicate that organizations do a better job of fortifying their security postures with a CISO on staff to lead related efforts. With or without them, however, companies are still flailing at adequately addressing various security goals, such as establishing email and

IM polices, setting security policies on laptops and desktops, monitoring and auditing confidential data policies, and much more.

So what does all this mean? Headway is being made, but a CISO is just one part in bettering a company's security stance. These IT security leaders still need company-wide support. And such far-reaching planning, says Oltsik, "won't be easy or cheap. It is a long-term organizational commitment..."

Clearly, one that still needs to be taken on by many government and private entities alike - or else investor and consumer uncertainty will prove irreversible as the number of exposed identities continues to rise.

Illena Armstrong is editor-in-chief.

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?