When it comes to securing business-technology systems, CIOs face a challenge that won't go away.
The problem isn't necessarily new attack techniques, insecure software or even the latest government regulations. Rather, it's the challenge of seeing eye-to-eye with the CSO about how much security is enough.
The tenth annual Global Information Security Survey, conducted by PricewaterhouseCoopers and CIO's sister publication, CSO magazine, found that many of the 12,052 business and technology execs surveyed think that an overall lack of security leadership remains a serious obstacle to getting CIOs and CSOs on the same page, and others feel they lack an effective information security strategy.
Consider this: Only a third of respondents said security policies were tightly aligned with business goals, and 46 percent said they were only somewhat aligned.
With CIOs, business executives and IT security teams misaligned, it's next to impossible to build a consistent, sustainable security and risk management program that is capable of stopping the highly intelligent, motivated adversaries organizations face today.
This lack of cohesiveness between executive and security teams is also a large part of why so many believe that IT security gets insufficient capital and operating budget, says Jayson Street, CIO at Stratagem 1 Solutions, a security services provider.
"Much of this disconnect falls at the feet of the IT security profession," Street says. "It is IT security that, too often, is failing the business. We don't communicate risk well enough, and why the risk is worth mitigating."
Frank Cervone, vice chancellor for information services and CIO at Purdue University Calumet, says many security professionals focus more on specific risks and not on how those risks stack up against other pressing issues. "There is a difference in scope as to what the CIO has to look at as opposed to the CSO. The CSO doesn't always see the larger issues and needs to do a better job relating IT risks to overall business risk," says Cervone.
Mark Lobel, a principal in the advisory services division of PwC, agrees. "The business leaders have to manage what is burning, and rarely does security rise to be a pressing issue, unless a breach or something bad has just occurred," says Lobel. "It's hard to explain and quantify such an abstract risk to the business."
Lobel advises CIOs to work more closely with their security teams, and says that CSOs should link security needs to the overall direction and strategy of the business. For instance, if an important part of the business is Web applications, being able to keep those applications secure is key to the business's success.
Everyone interviewed encourages CIOs to focus on building out security programs based on measurable risks and outcomes. Too many organizations today are operating on gut instinct, our survey revealed.
The largest percentage of respondents (35 percent) measure the effectiveness of security spending by professional judgment, followed by reduced security incidents and breaches (29 percent), and total cost of ownership (24 percent). Less than a quarter of firms (24 percent) measure improvement against security metrics. One in five respondents do not know how the effectiveness of their IT security program is measured.
Those results are surprising, considering the substantial costs of security events when do they happen. Financial losses, according to our survey, average more than $1.6 million per incident.