The Ponemon Institute and F5 Networks collaborated on a global research study—The Evolving Role of CISOs and Their Importance to the Business—to better understand CISOs, their challenges, and their approaches. This study collected information based on interviews with senior-level IT security professionals (CISOs and CISO-equivalent roles) at 184 companies in seven countries.
Participants in this research agree that as cyber attacks and other threats increase in frequency and sophistication, the CISO role will become more critical, especially in managing enterprise risk, deploying security analytics, and ensuring the security of Internet of Things (IoT) devices. However, to play a bigger role in their organizations, it is essential not only that CISOs have the necessary technical expertise and leadership skills, but also that they understand their companies’ operations and be able to articulate IT security priorities from a business perspective. According to the India-based participants in this research, the following are key approaches for securing business operations despite the increasing severity and frequency of cyber exploits and data breaches:
CISOs believe in the importance of an executive-level security leader
Specifically, respondents believe the appointment of an executive-level security leader with enterprise-wide responsibility is the most important governance practice for organizations (56 percent). Also important is the creation of a cross-functional committee to oversee IT security strategies (52 percent).
Enforce policies that protect the organization from insider negligence
Many companies represented in this study have guidelines and policies for minimizing malicious and negligent insider risk. However, only 31 percent of respondents say employees and immediate supervisors are held strictly accountable for IT security infractions and non-compliance.
Assess the risks created by the Internet of Things (IoT)
Eighty-three percent of respondents say the IoT will cause significant or some change to their practices and requirements. Most of these companies are setting new policies and standard operating procedures (76 percent or conducting tests to ensure IoT devices do not present security risks (66 percent).
Hold third parties to a higher standard of security
Sixty percent of respondents say their organizations outsource an average of 36 percent of IT security requirements. While respondents say outsourcing security functions is considered an important option, it does create risk. Fifty-five percent of respondents say outsourced services are always or most of the time are held to the same standards as on-premises security operations.
Invest in technologies that enable the move from protecting the perimeter to protecting endpoints, applications, and data
According to the findings, 45 percent of respondents say their organizations’ security posture today is dependent on network security. Twenty-three percent of respondents believe the IT security posture will be less dependent on network security in the next two years, and more dependent on application security (31 percent) and endpoint security (30 percent).