2011 State of the CSO

CIO, CSO and PwC join forces to deliver the State of the CSO survey. Mixed results indicate there's work ahead.

  • Look at these numbers over a multi-year period. This year—for the first time in the course of the survey—three long-term strategic trends in information spending have appeared in the spotlight.

    1. Security is on the CFO’s “protect” list

    We first saw evidence of this last year. This year’s data provides additional confirmation of the trend. As the function matures—and contributes in more obvious and direct ways to business objectives
    —it is encountering much more stable funding curves. As the survey revealed last year, security funding is protected during the “down” cycle. And—as we will point out in the pages that follow—this funding
    is increased as market vigor returns.

    2. Yet security is still vulnerable to the “flavor of the year” 

    Because security sits at the heart of the business, its spending drivers—the factors emphasized most prominently and most often by executives seeking funding for security-related initiatives—tend
    to be very closely aligned with the “hot priorities” of the business,whatever they might be at the time. In short, security’s spending drivers are susceptible to what we might call the “flavor of the year.”
    Take the US market, for example. In 2007, six years after the events of 9/11, 68% of US respondents identified business continuity and disaster recovery as the single largest driver of security spending,
    compared with 43% today. In the same year—five years after the passage of the Sarbanes-Oxley Act and two years after the Health Insurance Portability and Accountability’s (HIPAA) Security Rule took
    effect—US respondents identified regulatory compliance as the second-greatest spending driver, compared with 47% today.

    3. The “water drop” effect

    Big splash – then diffusion. After peaking as drivers, each of these factors, from business continuity to regulatory compliance, shifts from an “external game-changer” to an “internal given.” They remain
    important to the organization—often crucially so—but precisely because of their value, they become integrated into the business.
    How? Through, for example, newly automated systems or featureenhanced software. Updated job descriptions. Policies and business practices. And more comprehensively designed internal controls.

  • This year, adoption levels for many information security-related processes appear to have stalled—an unplanned consequence, perhaps, of the austerity in the funding environment.

    Respondents are just as likely as they were last year, for example, to have an overall security strategy in place (65% in 2009, 65% this year), use vulnerability scanning tools (53% in 2009, 53% this year), and have wireless (cellular and Wi-Fi) security standards and procedures (45% in 2009,45% this year). 

    In many cases, however, these adoption rates are actually in decline.

    Fewer respondents compared with last year, for example, conduct personnel background checks (60% in 2009, 56% this year), dedicate people to monitoring employee use of the Internet and information assets (57% in 2009, 53% this year), and conduct an employee security awareness program (53% in 2009, 49% this year).

    Just a one-year impact? Maybe so. But where it occurs, this regression often returns these capabilities to 2008 levels or below.

  • As if protecting data across applications, networks and mobile devices wasn’t complex enough, social networking by employees is presenting organizations worldwide with a new and growing frontier
    of risk.

    The risks, from an information security perspective, include the loss or leaking of information; statements or information that could damage the company’s reputation; activity such as downloading pirated
    material with legal and liability implications; identity theft that directly and indirectly compromises the company’s network and information;and data aggregation in building up a picture of an individual to mount security attacks through social engineering.

    Few companies are adequately prepared to counter this threat.

    Most companies (60%) have yet to implement security technologies supporting Web 2.0 exchanges such as social networks, blogs or wikis. And even more (77%) have not established security policies
    that address the use of social networks or Web 2.0 technologies—a critical strategy that costs virtually nothing. 

  • Consider the strategies organizations are engaging to continue meeting security objectives in the face of this year’s uncertain economic conditions.

    For the second year in a row, increasing the focus on data protection is the single most common strategy worldwide. Also consistent with last year’s results are other priorities—such as prioritizing security investments based on risk; strengthening the company’s governance,
    risk and compliance program; and accelerating the adoption of security-related automation technologies to increase efficiencies and cut costs.

    Yet a second set of trends includes other strategies:

    • Such as increasing reliance on managed security services.
    • Reducing the number of full-time security personnel.
    • And shifting security-related responsibilities to non-security personnel.

    The business rationale behind these tactics, of course, is based on the need for greater efficiencies and a more reliable supply of more diversified security-related skills.

    Like IT, security needs to lower the cost of ongoing operations and devote more of the budget to new
    value-creation activities. But at the same time—and this is critical—these tactical strategies, in some cases, may be opening up organizations to new areas of risk.

    For example, if companies are increasing their reliance on managed security services providers, are they also (1) enhancing governance and oversight mechanism, (2) conducting periodic audits of the provider’s operations, and (3) ensuring the alignment of the provider’s processes with the company’s security policies, regulatory mandates and strategic risk management priorities?

  • The gap has widened. Three years ago, companies still viewed the information security function principally as a technology cost center.

    One unimpeachable sign of this was the fact that the single most common reporting channel for the Chief Information Security Officer (or equivalent information security executive) was to the Chief Information

    How quickly the times have changed. Since 2007, the number of respondents reporting this viewpoint has declined very significantly,from 38% to 23% this year.

    So where is the CISO reporting today? To the business “side of the house,” typically to the Board, the CEO, the CFO, the Chief Operating Officer and the Chief Privacy Officer.
    What’s the strategic significance of this reporting shift? Across industries, we continue to see evidence of executive recognition that security’s strategic value is more closely aligned with the business than with IT.

  • What is the new “flavor of the year”?

    Client requirement—although the meaning of this term likely varies a bit across respondents.
    This year, when respondents were asked how information security spending was justified in their organization, nearly every one of the top seven factors they identified—from common industry practice to potential liability or revenue impacts—reflected declines in comparison with 2007. The reductions ranged from 10% to 26%.

    Client requirement was not only the sole factor in the top seven to increase over this period, it also moved up in ranking from the bottom of the list (#6 position) to near parity (#2 position) with the leading factor: justification for information security.

    Does client requirement refer to an internal client or an external one?
    A contractual mandate or a minimal threshold on a request for proposal?
    While the survey is ambiguous on this point, it’s abundantly clear that “client requirement” in general is driving spending more than it ever has in the past.

    Is client requirement just the new “flavor,” or will it prove to be a more enduring driver? 

    Could client requirement become the globally acknowledged leading driver of security spending in the next three to four years?

    Perhaps. At this point it appears to be one more sign that, after 15 years, the information security function continues to take on a far more customer-facing, business-supporting, strategic valuebuilding

  • Which factors are driving information security spending this year?

    At first glance, the answer isn’t much of a shock: economic conditions (reported by 49% of respondents), business continuity and disaster recovery (40%), company reputation (35%), internal policy compliance (34%) and regulatory compliance (33%).

    These are the primary factors you would expect—not just one year after the greatest economic downturn in the last 30 years but also after a decade of expanding globalization; continual introduction of new technologies that enable a free flow of information worldwide; the introduction of the Advanced Persistent Threat; and a wave of regulation across markets, industries and regions.

    What is surprising, however, is that almost every one of these factors is trending at or near four-year lows. Take business continuity/ disaster recovery, for example.

    Sixty-eight percent of respondents pointed to this factor just four years ago. That was 28 points ago—a reduction of 41% compared with this year. The other drivers show comparable declines. (Slide 5,Figure 2)

    First, let’s clarify a key issue: Does this mean these factors are less important? Absolutely not.

    In many respects, they’ve never been more vital. They’re just not as vigorous spending drivers as they’ve been in the past.

  • The 2011 State of the CSO survey finds some encouraging signs, continuing the progress of recent years in the development and maturation of the security function. You'll also find a few caveats - one step forward, half a step back. Companies aren't retrenching from enterprise risk management efforts, but neither do we see the same rapid expansion of those efforts, at least in terms of the raw number of companies trying the ERM approach. Application of conventional financial metrics to the security organization remains flat - and relatively low, at that.

  • An in-depth discussion 4 Signs of security’s strategic gains and advances stand side by side with newly
    emerging cracks in its foundation.

    I. Spending: A subtle but enormously meaningful shift 
    ll. Economic context: The leading impacts and strategies 
    lll. Funding and budgets: A balance between caution and optimism 
    IV. Capabilities and breaches: Trends too large to ignore 
    V. New areas of focus: Where the emerging opportunities lie 
    VI. Global trends: A changing of the guard

  • Strategies in countering information security risks continue to emerge.

    For the first time this year, we asked respondents whether their organization has an insurance policy that protects it from theft or misuse of assets such as electronic data or customer records.
    Almost half—46%—said “yes”. And more than a few have made a claim (17%) and collected on it (13%). We expect to see these numbers rise significantly over the next several years. 

  • After chasing North America for several years, Asia now reports higher maturity levels across more capabilities than any other world region.

    Pick your metric. Asian respondents point to “client requirement” as among the leading justifications for security spending in far greater numbers than do those in any other world region. They are more
    likely to acknowledge that the increased risk environment inherent in current economic conditions has increased the role and importance of the security function.

    They’re singularly more focused on data protections than those in other regions. And they are more progressive at addressing emerging practices—such as employing dedicated security personnel to support internal business departments and implementing security technologies supporting Web 2.0 exchanges.
    At the same time, while Asian companies are pursuing comparable strategies to meet their security objectives in the context of harsher economic conditions, they’re doing so with significantly more vigor
    and energy. For example, the enthusiasm with which Asian respondents consider strengthening governance, risk and compliance capabilities to be a “top priority,” “very important” or “important” (75%) stands in marked contrast to the responses from South America (70%), North America (66%) and Europe (56%).
    Just a blip in the multiyear trend lines? No. Quite the contrary. Asia has been doggedly plowing significant resources into information security programs for several years.
    And Asia has momentum. Asian respondents are much more optimistic that security spending will increase in the months ahead than their regional counterparts worldwide.

    Soon Asia will lead the world in information security. Next year? The year after? Asia is just picking
    the runway. 

  • While a robust return to economic strength has been elusive, most economists agree that market conditions today are far better than they were in late 2008. So it’s natural to expect that executive perceptions of the impacts the downturn has had on the security function would be different than they were last year.

    They’re not. At least most of them aren’t. In fact, they’re surprisingly consistent with last year’s. Most agree, for example, that the regulatory environment has become more complex and burdensome.
    And that the increased risk environment continues to elevate the importance of the security function. And that ongoing cost-reduction efforts make adequate security more difficult to achieve.
    So what’s the greatest change reported in the global economy’s impact to the function this year? Respondents are considerably more likely than last year to report that business partners and suppliers
    have been weakened by economic conditions.

    That’s understandable, especially given factors such as the recent surge in globalization and cross-border participation in supply chains and emerging market development as well as the fact that
    one would naturally expect the real impacts to partners and suppliers to take at least one year to emerge.

    But there’s a much less obvious implication here, one that is enormously revealing about the strategic evolution in the maturity of the security function.
    This data isn’t just coming from senior business and IT decisionmakers.

    Clearly, this information is also coming from—either directly or indirectly—core business managers at the center of companies and their operations. This includes the business unit heads, the operational
    decision-makers, the supply chain experts who work most closely with the organization’s business partners and suppliers.

  • For years, the percentages of respondents who reported not knowing about key security event-related facts have been painfully high.

    Just a few years ago in 2007, for example, 40% didn’t know how many security events had occurred in the past 12 months. Today,23% don’t. In 2007, almost half (45%) didn’t know what type of security
    events had occurred. Today 33% don’t. 

    As organizations continue to “turn on the lights,” however, what they are finding is sobering. In short, the impact of security events on the business has risen to significant levels—particularly with respect to
    financial losses (now reported by 20% of all respondents), theft of intellectual property (15%) and compromises to brands or reputations (14%). 

    As these numbers continue to rise, we foresee even greater pressure on the CFO to release funding—not just to maintain security capabilities at their current level but also to advance security’s ability to
    protect and enable the business.

  • In acute contrast to Asia’s advances in information security—and its more vigorous focus on strategic issues such as alignment of security with the business and the crucial need to protect data—North
    America has chosen to “gear down” on its investments in information security over the past year and look after its financial resources.

    The writing is on the wall. Most of North America’s maturity levels for information security capabilities have remained flat or declined over the past 12 months.

    Although few in number, there were some bright spots worth noting.
    These include North American advances in embracing enterprise security management software and gains in improving the impact that virtualization has had on the information security function.

    Remember, though, that the “gas” in the North American car isn’t the same. Where Asian executives point proactively to “client requirement” as the leading justification for security spending, North
    American managers look reactively first to legal and regulatory mandates.

    That’s quite revealing—and perhaps a bit prophetic. In a few years, we may collectively look back on the first decade of this century and agree that in its adolescence, information security responded to a
    “stick”—regulation—as evidenced by North American leadership in the function through 2009. But as information security matured into a fully integrated business function with a guaranteed seat at the
    management table, the “carrot” proved the primary driver—client requirements and the revenue-enhancing role that security can play when it’s truly aligned with the business. And we may well point to Asia’s dominance in the function, first manifested in 2009 and 2010, as the first step in a new evolutionary phase for the function. 

  • At first glance, the nearly six out of every 10 (58%) respondents who report their organization has a contingency plan in place for security incidents is a healthy number. 

    But when you factor this number by the percentage who report that their plan is effective (63%), the results are disheartening.

    In effect, most organizations (63%) have no plan or the plan they have doesn’t work.

  • Funding is still tight. There’s no question about it. Although some industries and markets appear to be strengthening, companies are reacting with extreme caution.

    Asked whether their organization had reduced budgets for security initiatives over the last year, nearly half of all 12,847 respondents agreed that they had—for capital (47%) and operating expenditures
    (46%). And, in fact, these numbers matched last year’s responses to the same question—(47% and 46% respectively). 

    Quite surprisingly (at least given the signs of an impending market return to healthy levels of growth), more respondents than last year reported that their organization had deferred security-related funding
    for capital expenditures (from 43% in 2009 to 46% this year) and operating expenditures (from 40% to 42%).

    A subtle tightening of the purse strings? Yes, apparently. A sign of even greater funding restraint to come? Perhaps. But not likely.

    Evidence suggests this hyper-focus on costs, in some cases, might be akin to one segment of the global consumer market’s aversion to spending money in the months immediately preceding their purchase
    of a new car. Saving now in anticipation of spending later.

  • The second sign of optimism is a bit more exuberant.

    This year, expectations that spending will increase leaped by more points than at any time since the earliest years of this survey. This optimism—held by 52% of respondents, a higher number than any response level since before 2005—is significant.

    Absent another worldwide shock to the global economy, we may see a release of this pent-up demand “at the bow” and an increase in security-related spending on capital and operating expenditures
    as early as later this year.

  • It’s an uncertain year, and security hangs in the balance. On the one hand, the flags of caution are prominent:

    • Tight fiscal discipline and spending constraints
    • A focus on preserving cash, although some key security processes are beginning to degrade
    • Fewer incidents, but increasingly higher negative impacts to the business
    • Emerging new areas of risk and the greater possibility, relative to last year, that the security function may not be prepared to protect the business

    On the other hand, the signs of optimism—and growing functional maturity—are impossible to miss:

    • Emergence from the 2009 economic “trial by fire” with more respect from the business
    • Deeper appreciation of security’s value, not only from the C-suite —but also from the operational core of the enterprise
    • Emergence of “client requirement” as a growing driver of spending
    • New visibility into why events occur, where they come from and what harm they cause—and the highest level of optimism about spending in the last five years

    What does this mean for your business? Learn from the downturn.

    And make crucial changes. But also be the first among your competitors to face forward and strategically position your information security function to support your performance in the years ahead.

  • In the seconds after the wheel of a fast-moving 200-ton oceantransport vessel directs the ship in a markedly different direction—and before the evidence of this turn is apparent to the ship’s compass—
    the water level on one side of the wave-cutting bow registers an unmistakable change.

    That’s happening here—so to speak. We took a closer look at how respondents answered our question about spending restraint for capital and operating expenditures. And what we discovered is quite

    Spending caution appears to be “easing” for projects more than six months out and for reductions of 10% or more. And it’s “building up at the bow” for projects under six months or budget reductions
    under 10%.

    Why is demand “bunching up” for near-term projects? It’s hard to tell. Some of our clients are concerned about the short-term reliability and calendar timing of the return to economic strength. Others are interested in funding a higher portion of security-related investments in operating and capital expenditures from actual revenue streams as they manifest themselves on a cash basis, rather than accrual.

    And many management teams, of course, have their heads down trying to balance security’s demand for those funds against “first distribution” calls for value-creating funding from across the

    How do we view this trend in the data? As a noteworthy shift in the focus of funding restraint—away from long-term initiatives and increasingly concentrated on initiatives planned for the short-term.
    We take that as an unimpeachable sign of cautious optimism—one sign, actually, of two.

Show Comments