Despite being faced with one of the worst economic downturns in recent history, companies continue to prioritise information security. Today, more organisations than ever before have a Chief Information Security Officer (CISO). Forty-four percent of companies employed a CISO in 2009 compared to 29 percent in 2008, according to a 2010 PriceWaterhouseCoopers survey. Compare this with nearly a decade ago, when most security tasks would originate from an organisation's operations group.
As stories of data breaches continue to make headlines, organisations now understand the critical need to mitigate security risks. A growing emphasis on security has changed not only the role of the CISO, but also how they are viewed by the organisation's corporate decision makers. Whereas yesterday's CISOs used to be in charge of day-to-day security operations, today's CISOs are strategists, partnering in their company's growth plans.
Companies with a CISO are more successful
As the trend towards hiring a CISO continues to grow, the benefits of doing so have become more apparent. Our IT Policy Compliance Group has found that companies with a CISO actually have better outcomes than those without a CISO.
Our research found that companies experiencing the best outcomes manage the information security function through a CISO, who reports to a Chief Risk Officer CRO), a Chief Compliance Officer (CCO), and the senior leader of IT assurance or the Chief Information Officer (CIO). These organisations focus on operational excellence in IT by implementing standardised procedures and controls based on best practice frameworks (e.g. ISO, CobiT, PCI), automating these procedures and controls, and measuring, assessing and reporting on risk on a regular basis. The net result is lower audit spend, reduced data theft and higher customer retention. These organisations also have larger profits, higher revenues and higher levels of business productivity from IT.
CISOs reduce risk
A CISO can help companies be more successful, but it is important to note that the most successful companies are those with a named CISO, not just a manager of information security that performs similar duties. Companies with a named CISO are 10 times more likely to experience the least loss or theft of customer data, our IT Policy Compliance Group found.
In contrast, organisations where the information security function is being managed at lower levels within IT operations are four to eight times more likely to be among those with the highest rates of data loss and theft.
In addition, the best performing organisations (with CISOs) manage business productivity and risks by using policies and targets for minimum acceptable downtime and maximum acceptable risks. They also measure, asses and report on risks daily, weekly and monthly. Organisations with the worst business outcomes do not have policies or targets for minimum acceptable downtime and maximum acceptable risks.