2011 State of the CSO

This post sponsored by the Enterprise CIO Forum and HP.

Security By edleckert on flickrThe 8th Annual CSO Magazine State of the CSO report was released last month – I finally got my hands on a copy.  Thanks Colin!

Sidenote: Nice timing on finding this report since October is Cyber Security Month….read more on getting prepared for Cyber Security Month in Jerry Bishop’s recent Enterprise CIO Forum post.

The 2011 State of the CSO report outlines the results gathered from 229 respondents during a survey in March 2011.

Some key highlights from the survey:

  • Fewer than 2/3’s of security professionals believe their organization’s employees are trained on security related topics
  • Only 35% of respondents believe their organization’s employees consider security to be party of their daily responsibilities
  • Nearly 1/3 of respondents plan to add staff to the security function of the organization
  • Roughly 38% of respondents are planning an increase in security in the coming year
  • 64% of respondents agree that senior management view security and the security leaders as important, permanent and strategic
  • More than 60% of respondents believe that senior leadership is placing more value on security and risk management

Some interested responses but not surprising to me.  I’m not a Security pro at all but I would think that most organizations are focusing a good deal of effort and budget on ensuring both IT and Physical Security are improved throughout the enterprise.

One aspect that I found interesting is the area  focused on current and future trends that will most affect the security profession.  The responses were interesting…they are:

  • 26% of respondents pointing to ‘ubiquitous data’ as having the largest impact on the security profession
  • 21% of respondents believing technology as a service as having a large impact.
  • 20% believe that  Gen Y & Millennials entering the workplace will have a considerable impact on the security profession.

Some interesting results there. Ubiquitous Data, defined by the survey as the ability for users to have constant access to data and services, is getting closer to being a reality for all organizations.

To grab a copy of the 2011 State of the CSO Report, jump over to CSO Magazine and sign up for access.

Image Credit: Security By edleckert on flickr

This post sponsored by the Enterprise CIO Forum and HP.

11 responses to “2011 State of the CSO”

  1. Published: 2011 State of the CSO http://t.co/Qx0VvL67 #CIO, #CSO

  2. 2011 State of the CSO: This post sponsored by the Enterprise CIO Forum and HP.The 8th Annual CSO Magazine State … http://t.co/DrzZikcA

  3. 2011 State of the CSO http://t.co/OdKFFO9s from @ericdbrown

  4. jfbauer Avatar
    jfbauer

    Thanks for the link … I skimmed the report and, as well, didn’t find anything that I found particularly striking. The ubiquitous access to data is challenging traditional security pros to rethink the “hard outer shell, soft gooey center” approach to security that has dominated the security architecture of the 00s. The “bring your consumer mobile device to work” in order to access that ubiquitous data rings of the late 90s rise of companies pushing to monetize their Internet presence against the relatively immature browser and desktop OS market at the time. There are bound to bumps in the road as both the consumer technology offers more balance in device controls and security pros get more comfortable what technical risk mitigations exist in these platforms.

    The aggressive media reporting on security issues both helps to raise awareness during corporate budgeting of security initiatives while making it ever more challenging to discover true emerging new security trends compared to hype.

    [Of course, this represents my personal view and in no way represents my current employer’s view in this area]

    1. ericbrown Avatar

      Hi John –

      Some of the aspects of the report were interesting but I doubt anyone would argue that they are new issues faced by security professionals.

      You raise a very good point hype vs trends vs reality. How does a CIO / CSO / IT professional deal with the hype vs reality?

      1. jfbauer Avatar
        jfbauer

        @ericbrown Well, if you are a CSO/CIO/IT Pro, the hype actually works to your advantage. It can be a struggle to build a security business case: “We need to spend X millions of dollars on a Y to avoid getting hacked.” “What is the likelihood we will get hacked?” “Well, high.” “What if we spend X/2?” “Well, we could …” It is challenging to convince senior management to spend money on a non-revenue generating thing like security especially if there hasn’t been a recent security event at the company that has sensitized executives. The hype can be leveraged to add more anecdotal evidence to support your security business case.

        At the same time, you have to be careful in leveraging the hype and media play around security. If you over leverage the “fear factor” to support your case you run the risk of not coming across as credible. Senior management (IMMHO) is not fond of being constrained by fear in order to be forced to make decisions.

        I guess, in a word, “balance”. Make references to the latest media hype around perceived growing security nastiness but don’t over do it to the point that you come across as hysterical and thus not credible.

        1. ericbrown Avatar

          @jfbauer Excellent insight John. I’ve seen many CIO’s over do it when it comes to playing up the Hype to get more money and resources. Its kind of like the boy who cried Wolf…cry Wolf too many times without a proper reason and/or evidence of the Wolf, the organization will stop listening.

        2. jfbauer Avatar
          jfbauer

          @ericbrown Yes, “the boy who cried Wolf” is very much what I was trying to convey. Playing the fear card effectively might just influence the gut decision senior management makes to shift some funds from a project they want to spend money on to a security project that they loath.

  5. Shared: State of the CSO by @EricDBrown http://t.co/4QvnRc5E <JB:God summary, I added my thoughts in the comments

  6. Shared: State of the CSO by @EricDBrown http://t.co/4QvnRc5E <JB:Oops, make that "good" summary, no deities were involved

  7. Shared: State of the CSO by @EricDBrown http://t.co/4QvnRc5E <JB:Good conversation continuing on Eric's post