Want to reduce IT risk? Hire a CISO

Despite being faced with one of the worst economic downturns in recent history, companies continue to prioritise information security. Today, more organisations than ever before have a Chief Information Security Officer (CISO). Forty-four percent of companies employed a CISO in 2009 compared to 29 percent in 2008, according to a 2010 PriceWaterhouseCoopers survey. Compare this with nearly a decade ago, when most security tasks would originate from an organisation's operations group.

As stories of data breaches continue to make headlines, organisations now understand the critical need to mitigate security risks. A growing emphasis on security has changed not only the role of the CISO, but also how they are viewed by the organisation's corporate decision makers.  Whereas yesterday's CISOs used to be in charge of day-to-day security operations, today's CISOs are strategists, partnering in their company's growth plans.

Companies with a CISO are more successful

As the trend towards hiring a CISO continues to grow, the benefits of doing so have become more apparent. Our IT Policy Compliance Group has found that companies with a CISO actually have better outcomes than those without a CISO.

Our research found that companies experiencing the best outcomes manage the information security function through a CISO, who reports to a Chief Risk Officer CRO), a Chief Compliance Officer (CCO), and the senior leader of IT assurance or the Chief Information Officer (CIO). These organisations focus on operational excellence in IT by implementing standardised procedures and controls based on best practice frameworks (e.g. ISO, CobiT, PCI), automating these procedures and controls, and measuring, assessing and reporting on risk on a regular basis.  The net result is lower audit spend, reduced data theft and higher customer retention.  These organisations also have larger profits, higher revenues and higher levels of business productivity from IT.

CISOs reduce risk

A CISO can help companies be more successful, but it is important to note that the most successful companies are those with a named CISO, not just a manager of information security that performs similar duties. Companies with a named CISO are 10 times more likely to experience the least loss or theft of customer data, our IT Policy Compliance Group found.

In contrast, organisations where the information security function is being managed at lower levels within IT operations are four to eight times more likely to be among those with the highest rates of data loss and theft.

In addition, the best performing organisations (with CISOs) manage business productivity and risks by using policies and targets for minimum acceptable downtime and maximum acceptable risks. They also measure, asses and report on risks daily, weekly and monthly. Organisations with the worst business outcomes do not have policies or targets for minimum acceptable downtime and maximum acceptable risks.

CISOs reduce cost

Along with reductions in risk, the most successful companies with a named CISO experience less financial exposure from data loss and theft.

One in 10 of the organisations with the best outcomes studied by our IT Policy Compliance Group spend 0.4 percent of revenue on data loss exposure compared to companies with the worst outcomes, which spend 9.6 percent of revenue on costs related to data loss.

Other studies reveal similar findings. Companies that experienced a data breach last year but had a CISO in place who managed the data breach incident experienced an average cost of US$157 per compromised record versus US$236 for companies without CISO leadership, according to the Ponemon Institute's 2009 Cost of a Data Breach study. This means companies that experienced a data breach but did not have a CISO to manage the incident spent 50 percent more than companies with a CISO.

The Ponemon Institute notes that this outcome is probably "due to the strategic role CISOs play in ensuring security and privacy measures are effectively implemented."

In addition to lowering costs in the event of a data breach, the most successful companies with a CISO also spend 50 percent less on regulatory compliance, our IT Policy Compliance Group found.

CISOs highlight the need for more than just technology

CISOs reduce risk and cost, but they also highlight the importance of viewing security as part of the business process, rather than just an IT problem.

For organisations that are plagued with the highest rates of data loss and theft, a common management approach to information security is that security is only a technology issue. These organisations leave security to be managed by IT operations without the proper oversight and control, our IT Policy Compliance Group found.

Companies that have the best business outcomes are managing information security at a higher level as a quality-controlled function that goes beyond the technologies involved. Automation of policies, procedures and controls is an important part of the equation for those companies with the best outcomes.

Among the organisations with the best outcomes, an average of two-thirds of procedures and controls related to the information security and assurance function are fully automated, according to our IT Policy and Compliance Group. Contrast this with the worst performing organisations, which automate less than one-third of procedures and technical controls.

In addition, the best performing organisations also automate measurement and reporting. These organisations assess and report on key risks, controls and indicators on a daily, weekly and monthly basis versus the worst performing organisations, which assess and report no more than every five months.

Simply put, CISOs contribute to better business results by ensuring security measures are fully implemented, standardising and automating procedures, and by taking a strategic role within the organisation to make information security a part of the business process.

Jim Hurley is the managing director of Symantec's IT Policy Compliance Group.