The CSO’s Role & Priorities – Part 1
By: Bob Bragdon | 10/18/2018
For the past two years CSO and its parent – IDG Communications – have conducted the Security Priorities study, an examination of the CSO’s place in the business, their challenges, and what their priorities and purchasing plans are for the coming year. Since we’ve recently released this year’s findings, I thought we could take an opportunity to review some of its findings. The survey is fairly extensive so here is the first post – another is coming soon.
How Many Businesses Have a CSO?
Of all the questions I am often asked, “how many businesses have a CSO or a CISO” is, probably, the most common. What we have seen over the years, and what this year’s study continued to affirm, is that the CSO role is growing, and as it grows in adoption it’s gaining importance and influence within the business. (Because the terms CSO and CISO are generally interchangeable, I’ll refer to either as CSOs for purposes of this analysis.)
Close to two-thirds of enterprise businesses (those with 1,000 or more employees) have a CSO. For businesses with fewer than 1,000 employees, nearly 3 out of 10 have a CSO.
Although greater among enterprises, these numbers reflect the importance that security plays in businesses of all sizes, but also leads us to a further discussion about where security sits in the business.
In a separate IDG study this year, CIOs show a growing commitment that a “tightly integrated, IT security strategy is an integral part of our overall IT strategy and roadmaps.” When asked about mandates from the CEO, that same study found that security was the #1 priority for CIOs, up from #8 in 2012. (State of the CIO, 2018)
Security and IT
Security Priorities also looked at how security is structured in relation to the IT organization. This has been an evolving model that varies significantly from organization to organization. However, there appears to be a growing trend of the security organization being separated from the IT organization.
In 4 out of 10 enterprise businesses, security is managed as a stand-alone department separate from IT. In smaller businesses only 1 out of 10 are separate from IT.
Certainly, this is reflective of the business assigning greater importance to security for a variety of reasons from regulatory compliance to concerns about potential damage to reputational and financial risk.
Budgets are on the Rise
More than half of the businesses we surveyed expect their IT security budgets to increase in 2019, and they are expecting increases of 13% on average over this year’s budget levels. Organizations with CSOs or where security is managed as a stand-alone department, are more likely to see budget increases and those increases tend to be larger.
One of the challenges we’ve heard repeatedly over the years is the difficulty that CSOs have in instituting good security practices over the parts of the business that they don’t own or control.
In order to exercise some level on influence over parts of the business that they do not control (such as DevOps or line of business units), CSOs focus their efforts on gaining greater support from corporate leadership to mandate security as part of the business process, and becoming a resource to offer strategic guidance regarding planned IT purchases. They are also establishing themselves as resources to other parts of the business and, in some cases, establishing security positions in these other units to help identify and mitigate risks.
Collectively, these findings profile an increasingly independent and critical business role that organizations of all sizes are leaning into. In the next post, we’ll examine where CSOs are focusing their investments, what’s driving those investment, and how the difficulty in finding experienced security professionals is putting it all in jeopardy.