The CISO Agenda for 2014/2015

Managing Vice-President of Gartner, F. Christian Byrnes closed the Gartner Security and Risk management Summit with a look at what will be on the agenda for the CISOs over the next year.

Gartner has conducted extensive research and, through a survey of 900 businesses with at least 100 employees and revenues of over $50M, they concluded that C-Level executives and Boards are well aware of their obligations when it comes to risk with 85% of companies having a dedicated information security team. And over a third of the respondents have the CISO reporting outside the CIO, reflecting a maturity that shows security risk is not a technical concern but a business-wide one.

A more detailed look at the survey also showed that information security programs had a high degree of organisation and formalisation and that this extended right into the application development lifecycle as well as regulatory compliance and process improvement.

Of the companies with information security programs, nine in ten respondents said that they had a formal data classification process with the vast majority finding this a useful tool in managing information security effectively.

What kind of projects should CISOs be planning for 2014 to 2015? According to the research presented by Byrnes, next-gen firewalls and formal privacy programs topped the list on CISO plans for the next year. In contrast, 10 years ago the priorities were setting up a security program, refreshing the existing firewall and buying an IPS.

Looking at different industries, it's not surprising that Gartner's data, which spanned a broad array of different industry verticals, found that insurance and banking had the greatest maturity when it came to IT security. In contrast, the research showed retail and education lagging.

When it comes to putting their money where their intentions are, just under half of the companies surveyed are looking to increase their budgets on network security, data security, applications security and IT Privacy process management. About half of the respondents expect to maintain the same level of spending on IT security with about 10% expecting to decrease spending.

Although it's clear that the vast majority of business surveyed by Gartner expect to either maintain or increase their security budgets, the number of new staff looks to remain more static with only about a third considering some sort of increase in security staff levels.

Call to action

In closing the Security and Risk Management Summit, Byrne offered up an action plan for attendees.

The immediate tasks for CISO's according to Byrne, was to focus on a subset of priority issues, and drive actions that deliver near-term improvements.

Over the next three months he suggested businesses need to establish a current-state baseline that becomes a foundation for continuous improvement and then assess planned investments and how they compare and align to Gartner's survey analysis.

For the next year the focus should be, in Gartner's view, on communicating the CISO's compelling future vision, to define and communicate realistic and measurable, time-bound goals, and establish tracking systems to check when the goals are achieved.

This should result in CISO further establishing credibility and elevate the image of the security organization.

This article is brought to you by Enex TestLab, content directors for CSO Australia.