cisos: the good, the bad & the ugly - cdm media...cisos: the good, the bad & the ugly...
TRANSCRIPT
CISOs: The Good, The Bad & The UglyPonemon Benchmarks & Factoids
CISO Summit
Keynote by Dr. Larry Ponemon
Scottsdale, AZ
December 4, 2013
Ponemon Institute LLC
The Institute is dedicated to advancing responsible information management
practices that positively affect privacy and data protection in business and
government.
The Institute conducts independent research, educates leaders from the private
and public sectors and verifies the privacy and data protection practices of
organizations.
Ponemon Institute is a full member of CASRO (Council of American Survey
Research organizations). Dr. Ponemon serves as CASRO’s chairman of
Government & Public Affairs Committee of the Board.
The Institute has assembled more than 65+ leading multinational corporations
called the RIM Council, which focuses the development and execution of ethical
principles for the collection and use of personal data about people and
households.
The majority of active participants are privacy or information security leaders.
11/26/2013 2Ponemon Institute: Private and Confidential
Facts and Factoids11 Myths about CISOs
• Many larger-sized companies do not have a fully dedicated CISO
• The CISO role is fairly complex
• Most CISOs lack the budget and budget authority to get the job done right
• CISO activities are more tactical than strategic
• CISOs are advisors/consultants, not the decision maker
• CISOs have a hard time getting executive buy-in
• CISOs have a hard time keeping their jobs (or wanderlust)
• Many CISOs are positioned too low in the organization to be effective
• Many CISOs feel they are under compensated
• CISO authorities and responsibilities are often shared, not owned
• Most CISOs do not enjoy face time with the CEO or Board
11/26/2013 Ponemon Institute: Private and Confidential 3
Source of CISO Factoids
• Factoids are derived from various survey or benchmark studies focused on
IT or “cyber” security roles conducted over the past few years
• Meta analysis was performed on as much as 34 studies involving larger-
sized organizations to capture certain facts
• Participants (respondents) included IT and IT security practitioners ranging
in position from technician or staff-level personnel to senior executives. The
largest sample segments included respondents at the director, manager or
supervisory-levels
• Meta samples included more than 30 industry segments. The largest
segments typically included financial services, public sector (government),
services (including IT and professional services) and retail
• While a majority of respondents are located in the United States, several
studies included individuals in more than 29 countries (representing all
major economic regions)
11/26/2013 Ponemon Institute: Private and Confidential 4
CISO attitudes about their present role
11/26/2013 Ponemon Institute: Private and Confidential 5
11%
33%
32%
24%
Best job I ever had
A good job but not the best
A bad job but not the worst
Worst job I ever had
Study of companies with 1,000 or more employees
How many companies have a CISO (or
equivalent title?)
11/26/2013 Ponemon Institute: Private and Confidential 6
40%
16%
44%
Fully dedicated
Partially dedicated
None
Study of companies with 1,000 or more employees
CISO’s influence and control
11/26/2013 Ponemon Institute: Private and Confidential 7
55%
22%
17%
6%
Shared influence and control
Central influence and control
Central influence, shared control
Shared influence, central control
Study of companies with 1,000 or more employees
How is influence & control shared or
divided?
11/26/2013 Ponemon Institute: Private and Confidential 8
41%
30%
14%
8%
7%
Geography
Line of business
Functional areas
Data centers
Other
Shared by:
Study of companies with 1,000 or more employees
The CISO’s budget authority
11/26/2013 Ponemon Institute: Private and Confidential 9
28%
43%
6%
23%
Full ownership (Capx and Opx)
Partial ownership (Opx only)
Partial ownership (Capx only)
No authority
Study of companies with 1,000 or more employees
CISO discretionary budget per annum
11/26/2013 Ponemon Institute: Private and Confidential 10
Study of companies with 1,000 or more employees
9%
14%
18%
20%
19%
10%
10%
0% 5% 10% 15% 20% 25%
< $1,000,000
$1,000,000 to $2,000,000
$2,000,001 to $3,000,000
$3,000,001 to $4,000,000
$4,000,001 to $5,000,000
$5,000,001 to $10,000,000
> $10,000,000
CISO’s chain of command
11/26/2013 Ponemon Institute: Private and Confidential 11
1%
1%
2%
2%
2%
3%
3%
4%
11%
15%
56%
0% 10% 20% 30% 40% 50% 60%
CEO
Internal audit
COO
Compliance
Data center management
CTO
CSO
Business unit
Risk management
CFO
CIO
Study of companies with 1,000 or more employees
CISO – steps below the CEO
11/26/2013 Ponemon Institute: Private and Confidential 12
2%
16%
45%
23%
12%
2%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
1 step 2 steps 3 steps 4 steps 5 steps > 5 steps
Study of companies with 1,000 or more employees
CISO – Number of CISO’s direct reports or
“span of control”
11/26/2013 Ponemon Institute: Private and Confidential 13
13%
11%
30%
27%
10%
5%4%
0%
5%
10%
15%
20%
25%
30%
35%
0 (none) 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 > 10
Study of companies with 1,000 or more employees
Metrics used to determine the success or
failure of the CISO organization
11/26/2013 Ponemon Institute: Private and Confidential 14
36%
30%
12%
22%
None
Mostly internal
Mostly external
Combination of internaland external
Study of companies with 1,000 or more employees
Examples:
Internal - number of users who
receive security training
External - number of data breaches
of 1,000 or more confidential records
Average rank of seven critical success
factors for CISOs
11/26/2013 Ponemon Institute: Private and Confidential 15
6.55
5.81
4.22
3.88
2.90
2.41
1.89
- 1.00 2.00 3.00 4.00 5.00 6.00 7.00
Agility
Domain expertise or knowledge
Organizational culture
Leadership
Support structures
Preparedness (readiness)
Adequate funding
1 = Most important to 7 = Least important
Study of companies with 1,000 or more employees
What is the total FTE headcount of the
CISO organization?Direct and indirect headcount, combined
11/26/2013 Ponemon Institute: Private and Confidential 16
5%
15%
23%
39%
10%8%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
0 (none) 1 to 5 6 to 10 11 to 15 16 to 20 > 20
Study of companies with 1,000 or more employees
What best describes the CISO’s reporting
structure?
11/26/2013 Ponemon Institute: Private and Confidential 17
53%
31%
9%
7%
Direct line only
Direct plus one indirect line
Direct plus two or more indirect lines
Only indirect lines (fuzzy)
Study of companies with 1,000 or more employees
CISO – Gender differences
11/26/2013 Ponemon Institute: Private and Confidential 18
89%
11%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Male Female
Study of companies with 1,000 or more employees
CISO – Years of relevant experience
11/26/2013 Ponemon Institute: Private and Confidential 19
8%
25%
28%
19%
22%
0% 5% 10% 15% 20% 25% 30%
< 5 years
5 to 10 years
11 to 15 years
16 to 20 years
> 20 years
Study of companies with 1,000 or more employees
CISO tenure (average 2.1 years)
11/26/2013 Ponemon Institute: Private and Confidential 20
51%
31%
10%
5%
3%
0% 10% 20% 30% 40% 50% 60%
< 2 years
2 to 3 years
4 to 5 years
6 to 10 years
> 10 years
Study of companies with 1,000 or more employees
CISO-Equivalent job titles
11/26/2013 Ponemon Institute: Private and Confidential 21
1%
1%
1%
1%
1%
1%
1%
2%
2%
2%
2%
5%
12%
13%
14%
41%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Director information audit
Managing director information/data security
Chief security scientist
Chief security strategist
Chief security technology officer
Director intellectual property management
Director security risk management
Executive director information/data security
Chief security architect
Chief security engineer
Director information risk management
EVP information/data security
Director information/data security
VP information/data security
SVP information/data security
Chief security officer
Study of companies with 1,000 or more employees
Primary rationale for establishing the
CISO function
11/26/2013 Ponemon Institute: Private and Confidential 22
52%
21%
12%
8%5% Ex-post response to a security
incident or breach
Ex-post response to complianceand regulatory snafus
To keep pace with othercompanies
In response to liability andexposure
To preserve reputation
Study of companies with 1,000 or more employees
How difficult is the CISO’s job?Rating on a 1 to 10 scale
11/26/2013 Ponemon Institute: Private and Confidential 23
2% 3%
26% 26%
43%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
1 to 2 (easy) 3 to 4 5 to 6 7 to 8 9 to 10 (difficult)
Relative to other C-level executives, are
CISO’s fairly compensated?
11/26/2013 Ponemon Institute: Private and Confidential 24
39%
50%
11%
0% 10% 20% 30% 40% 50% 60%
Below other C-level executives (unfair)
Equivalent to other C-level executives (fair)
Above other C-level executives (generous)
Study of companies with 1,000 or more employees
CISO’s base annual compensation (US dollars)
Salary information about 133 actual CISOs
11/26/2013 Ponemon Institute: Private and Confidential 25
17%
46%
15%
20%
2%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
$200 to 300k $301 to 400k $401 to 500k $501 to 1 million > $1 million
See SecureWorld & Ponemon’s newest benchmark study
CISO-relevant backgrounds
11/26/2013 Ponemon Institute: Private and Confidential 29
2%
4%
5%
5%
14%
16%
20%
34%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Other
Audit/finance
Homeland security
Compliance/legal
Intelligence
Military
Law enforcement
MIS, computer sciences
Study of companies with 1,000 or more employees
How CISOs spend their time (100 points)
11/26/2013 Ponemon Institute: Private and Confidential 30
1
1
2
2
2
4
5
5
6
10
11
12
16
23
0 5 10 15 20 25
Corporate communications
Strategy setting
Policy development
Education and awareness
Recruitment
Procurement
Planning
Readiness testing
General management
Risk assessment
Business continuity management
Incident management
Policy enforcement
Monitoring and audit
Study of companies with 1,000 or more employees
Essential dotted line relationships with
the CISO role
11/26/2013 Ponemon Institute: Private and Confidential 31
4%
8%
16%
21%
28%
36%
39%
55%
78%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Corporate finance
Internal audit
Human resources
Enterprise risk management
Privacy office
Business continuity management
Corporate compliance
Data center management
IT operations
Study of companies with 1,000 or more employees
The CISO role is best described as . . .
11/26/2013 Ponemon Institute: Private and Confidential 32
5%
11%
21%
23%
40%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Combination of the above
Advocate
Controller/decision maker
Influencer
Consultant
Study of companies with 1,000 or more employees
What CISOs think – Who are their heroes?
11/26/2013 Ponemon Institute: Private and Confidential 33
1%
2%
2%
5%
12%
15%
15%
23%
25%
0% 5% 10% 15% 20% 25% 30%
Inventor/scientist
Social advocate
Government leader
Religious figure
Famous celebrity
Cartoon character
Business founder/entrepreneur
Military leader
Sports figure
Study of companies with 1,000 or more employees
Barriers to the CISO’s success
11/26/2013 Ponemon Institute: Private and Confidential 34
16%
18%
20%
23%
25%
26%
33%
41%
42%
56%
0% 10% 20% 30% 40% 50% 60%
Shadow IT issues
Insecure third-party relationships
Silos and turf issues
Lack of executive buy-in or support
Insufficient technologies and tools
Disruptive technologies
Employee negligence
Lack of qualified personnel
IT complexity
Lack of adequate funding
Study of companies with 1,000 or more employees
CISO’s greatest single accomplishment
(on the job)
11/26/2013 Ponemon Institute: Private and Confidential 35
2%
3%
3%
3%
5%
19%
32%
33%
0% 5% 10% 15% 20% 25% 30% 35%
Obtained recognition
Persuaded management
Educated management/board
Secured funding
Protected colleagues/personnel
Identified system vulnerability
Stopped a crime
Solved a crime
Study of companies with 1,000 or more employees
How the CISO reports to the board
11/26/2013 Ponemon Institute: Private and Confidential 36
5%
12%
20%
30%
33%
0% 5% 10% 15% 20% 25% 30% 35%
Formal, irregular intervals
Informal, at the will of the CEO/board
Formal, regular intervals
Informal, event driven
No reporting occurs
Study of companies with 1,000 or more employees
Caveats & Limitations
• Non-response bias: The current findings are based on a Meta sample of survey
returns. We sent surveys to a representative sample of IT and IT security
practitioners, resulting in a large number of usable returned responses. Despite non-
response tests, it is always possible that individuals who did not participate are
substantially different in terms of underlying beliefs from those who completed the
survey.
• Sampling-frame bias: The accuracy is based on contact information and the degree
to which the list is representative of individuals who are IT practitioners who deal with
a wide array of issues. We also acknowledge that responses from paper, interviews
or telephone might result in a different pattern of findings.
• Self-reported results: The quality of survey research is based on the integrity of
confidential responses received from respondents. While certain checks and
balances were incorporated into our survey evaluation process, there is always the
possibility that certain respondents did not provide responses that reflect their true
opinions.
11/26/2013 Ponemon Institute: Private and Confidential 37
Questions?
Ponemon Institutewww.ponemon.org
Tel: 231.938.9900
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA