Want to reduce IT risk? Hire a CISO

CISOs reduce cost

Along with reductions in risk, the most successful companies with a named CISO experience less financial exposure from data loss and theft.

One in 10 of the organisations with the best outcomes studied by our IT Policy Compliance Group spend 0.4 percent of revenue on data loss exposure compared to companies with the worst outcomes, which spend 9.6 percent of revenue on costs related to data loss.

Other studies reveal similar findings. Companies that experienced a data breach last year but had a CISO in place who managed the data breach incident experienced an average cost of US$157 per compromised record versus US$236 for companies without CISO leadership, according to the Ponemon Institute's 2009 Cost of a Data Breach study. This means companies that experienced a data breach but did not have a CISO to manage the incident spent 50 percent more than companies with a CISO.

The Ponemon Institute notes that this outcome is probably "due to the strategic role CISOs play in ensuring security and privacy measures are effectively implemented."

In addition to lowering costs in the event of a data breach, the most successful companies with a CISO also spend 50 percent less on regulatory compliance, our IT Policy Compliance Group found.

CISOs highlight the need for more than just technology

CISOs reduce risk and cost, but they also highlight the importance of viewing security as part of the business process, rather than just an IT problem.

For organisations that are plagued with the highest rates of data loss and theft, a common management approach to information security is that security is only a technology issue. These organisations leave security to be managed by IT operations without the proper oversight and control, our IT Policy Compliance Group found.

Companies that have the best business outcomes are managing information security at a higher level as a quality-controlled function that goes beyond the technologies involved. Automation of policies, procedures and controls is an important part of the equation for those companies with the best outcomes.

Among the organisations with the best outcomes, an average of two-thirds of procedures and controls related to the information security and assurance function are fully automated, according to our IT Policy and Compliance Group. Contrast this with the worst performing organisations, which automate less than one-third of procedures and technical controls.

In addition, the best performing organisations also automate measurement and reporting. These organisations assess and report on key risks, controls and indicators on a daily, weekly and monthly basis versus the worst performing organisations, which assess and report no more than every five months.

Simply put, CISOs contribute to better business results by ensuring security measures are fully implemented, standardising and automating procedures, and by taking a strategic role within the organisation to make information security a part of the business process.

Jim Hurley is the managing director of Symantec's IT Policy Compliance Group.