Covering the latest industry trends and an excellent source of thought leadership.
Online Tech is exhibiting secure and compliant hosting solutions at Detroit SecureWorld 2013, held yesterday and today. In case you missed it, here are some facts from the opening keynote from Dr. Larry Ponemon of the Traverse City-based research firm, The Ponemon Institute:
Facts about IT Security Leaders
Dr. Larry Ponemon
• Institute dedicated to advancing responsible info management practices.
• Member of CASRO
• Majority of active participants are privacy or InfoSec members
Most reports are 2-3 years old.
40% have fully dedicated CISO
44% don’t have CISO
The rest are part-time
Chain of command – Report to:
If you’re doing your job as a CISO, sometimes you’re going to be reporting about will be in the IT department, or even the CIO. You don’t want to report to the CIO, who could potentially censor that information as it heads farther up the chain.
In general, we see this issue creates some sticky issues.
How many steps between CEO and CISO:
Number of people report to CISO:
Average is 3-6. Most CISOs are advisors, they don’t need a huge staff. It can be a problem when something needs to be implemented but you aren’t a priority to the staff
How do you measure effectiveness:
If you boil the ocean, you really only have two measurements (external and internal) –
Rank of critical success factors:
What is CISO’s reporting structure:
In privacy, women are more likely to be CPOs than CISOs
Average 2.1 years
51% less than 2 years
Why? There’s so much demand that they can jump from job to job. The other likely reason is that when something goes wrong, someone needs to be blamed, and that someone is the CISO.
CISO equivalent job titles:
Chief Security Officer
SVP Information/data security
Rationale for establishing CISO function:
CISO attitudes about present role:
How do CISOs spend their time?
Monitoring and audit (23%)
Policy enforcement (16)
Suggests CISOs are more tactical than strategic – if you don’t have the relationship between IT ops, you’re not going to get anything done.
CISO role described as Consultant (40%)
Does CISO report to board?
A lot of CISOs like to roll up their shirt sleeves and don’t delegate well, but when you have Chief in your title, you have to back up and learn to delegate more. That’s a common trait you see throughout security. So now you’re a chief, how do you delegate that? It’s a big problem, and a common problem throughout the industry.