by Thor Olavsrud

Successful CSOs Share Fundamental Qualities

May 03, 20125 mins
Business IT AlignmentData and Information SecurityData Breach

In a recent study,IBM concluded that successful security organizations tend to have common characteristics, including a dedicated chief security officer with strategic vision and the ear of business leaders.

The organizations best-prepared to face today’s security threats share a fundamental profile that separates them from organizations trapped in crisis-response mode. That’s the finding of the IBM Center for Applied Insights, which recently conducted double-blind interviews of 138 security leaders—chief information security officers (CISOs) and other IT and line-of-business executives responsible for information security in the enterprise—to gain a better understanding of security leaders’ strategies and approaches.

Marc van Zadelhoff, vice president of Strategy for IBM Security Systems, says the study led IBM to divide security leaders into three categories based on both the maturity of their organization and its breach preparedness.

The lowest-ranking category, representing 28 percent of respondents, are Responders. Responders remain trapped in response mode. They work to protect the enterprise and comply with regulations and standards, but van Zadelhoff notes they struggle to make strategic headway and may not yet have the resources or business influence to drive significant change.

The middle category, representing 47 percent of respondents, are Protectors. Van Zadelhoff says protectors recognize that security is a strategic priority but lack the metrics-driven view and the budget authority to transform their organization’s security approach.

The most forward-thinking security leaders are the Influencers, representing 25 percent of the respondents. Influencers have a strategic voice in the enterprise that comes with both business influence and authority.

IBM explored three broad categories when creating the security profiles: structure and management, organizational reach and measurement.

Structure and Management

One of the most telling characteristics that sets Influencers and Protectors apart from Responders is the presence of a dedicated leader for the security role with a strategic, enterprise-wide purview. Influencer organizations are more likely to appoint a CISO because their senior management recognize the need for a coordinated approach, van Zadelhoff explains.

“A lot of people don’t have an officially named CISO,” van Zadelhoff says. “About half of the companies in the survey didn’t have a single person named into that role, whether in name or in spirit. Companies that have an Influencer in the role versus merely a Responder, the Influencers tend to have a dedicated CISO.”

The most progressive security organizations also tend to have a security steering committee headed by a senior executive—often the CISO-with a charter to evaluate security issues holistically and develop an integrated enterprise strategy. The security/risk committee is responsible for systemic changes that span functions, including legal, business operations, finance, human resources and more. Responders, in particular, often lack a CISO and security steering committee.

IBM says that organizations that lack of a dedicated security leader and security steering committee have a more tactical and fragmented approach to security.

“This is where we see a lot of difference between the CISOs that are succeeding and the ones that are flailing,” van Zadelhoff says. “The successful ones are getting the buy—in from non-security executives.”

Influencers also tend to have a dedicated security budget line item that supports their efforts. Whether organizations are Responders, Protectors or Influencers, CIOs typically control that budget, but Protectors and Influencers also often give that authority to business leaders instead. Among Influencers, CEOs are just as likely as CIOs to steer the information security budget. van Zadelhoff says a lack of a dedicated budget line item forces security organizations to constantly negotiate for funding or limits the scope of initiatives to specific functions or silos.

Organizational Reach

IBM says the most progressive security organizations also have the attention of business leaders and their boards, not just as ad-hoc topics but as a regular part of business discussions. This gives CISOs the ability to focus their efforts on enterprise-wide education, collaboration and communication.

In fact, while the more tactically oriented Responders are focusing their attention on foundational building blocks-new security technology to close security gaps, redesigning business processes and hiring new staff-Influencers are concentrating on creating a culture in which employees take a more proactive role in protecting the enterprise. And IBM says their greater integration with the business gives them the additional ability to influence the design of new products and services, incorporating security considerations early in the process.


The most successful security organizations are also the most likely to measure their effectiveness with metrics. All three categories are likely to assign importance to metrics for compliance, risk and ability to deal with future threats and vulnerability. Influencers also place a high importance on metrics for education and awareness, speed of recovery from incidents and day-to-day security operations.

“Not only are Influencers measuring more consistently, but they’re measuring more broadly,” van Zadelhoff says.

Getting Security From Here to There

In many ways, van Zadelhoff says, the categories represent a continuum on the evolutionary scale of security organizations. And that means that with the proper plan, Responders can transform themselves in Protectors and eventually Influencers.

Responders can take a number of steps to improving their footing. First, he says, they should focus on establishing a dedicated security leadership role, assembling a security and risk committee and measuring their progress. Then they should pay attention to automating routine security processes to devote more time and resources to security innovation.

Protectors can also plan a route forward. van Zadelhoff says they can make security more of a strategic priority by taking a number of steps: investing more of their budgets on reducing future risks; aligning information security initiatives to broader enterprise priorities; and learning from and collaborating with a network of security peers.

Finally, Influencers can continue to hone their approach by strengthening their communication, education and business leadership skills and by using insights from metrics and data analysis to identify high-value improvement areas.

Thor Olavsrud covers IT Security, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline and on Facebook. Email Thor at