What are CISOs’ top security concerns and strategies?

Security is no longer just an IT issue, it’s a business priority issue. In the past year, we’ve experienced a handful of high profile data breaches that affected tens-to-hundreds of millions of individuals in each—Court Ventures in October 2013, Target in December 2013, P.F. Chang’s in June, and the untold number of sites that a Russian crime ring hacked just a couple of weeks ago.

[Survey results reveal both IT pros’ greatest fears and apparent needs] 

Security teams protecting sensitive corporate data aren’t the only ones embracing advances in technology—so are the sophisticated criminals trying to disrupt business. Protecting data privacy, meeting compliance requirements and guarding against malicious phishing and malware are cited as top security concerns according to a recent Wisegate member poll. But what are IT security executives actually focused on as priorities? Where are they looking to innovate their processes? And how will our nation’s top security experts help their businesses take smart risks?

Wisegate, an IT advisory service, and Scale Venture Partners teamed up to survey over a hundred security leads to find out.

The report highlights these key findings:

• New battlefields, same war. CISOs remain vigilant on the fundamentals: Malware outbreaks and data breaches. Security teams confront growing risks on many fronts, from new technologies to external threat factors. Driving their security strategies are six technology trends, including BYOD, Everything as a Service, Cloud Application Security Brokers and SecDevOps. The five top risks resulting from these trends include malware outbreak and sensitive data breaches—these two risks accounting for nearly a third of all CISO’s top priorities.

• Security programs prioritize risks and business alignment, but lack tools to draw the big picture. Their risks are increasing, but only half can efficiently report risk status to their boards and internal business partners. Despite being able to identify their top risks, one-half of the survey participants admitted they didn’t have good ways to measure the status of these risks or how effective their programs were at addressing them. Security and risk management systems are becoming Board-level discussions; government and industry regulations are also requiring better risk monitoring and controls. While many security products do provide dashboards, those tend to be specific to that product’s threats and activities. What’s needed are efficient ways to map all of this event data into holistic, business-level perspectives.

• Top tech trends and risks show that as IT hands off infrastructure control, CISOs focus on the data. Shared risk models are a nod to the expanding universe of user devices and the dissolving enterprise perimeter. CISOs are looking to put security controls as close as possible to enterprise data, versus focusing on specific device types or threats. Information protection and control products (IPC), including DLP/DRM/masking/encryption technologies, were the number one desired control to apply on computers, at the infrastructure layer, within applications, and on mobile endpoints.

• Automate all the things. CISOs push automation, orchestration to manage point solution sprawl. Consolidation and automation are top areas of focus to improve security program maturity. Three-quarters of CISOs are building or integrating solutions to address their top risks; APIs are frequently requested features in modern security solutions. Over half (59 percent) identified proactive threat/misuse detection or automated orchestration to streamline their incident response processes as a top goal.

[CSOs face ongoing paradoxical challenges, according to report] 

Check back in with CSO Online to see our in-depth reports based on the survey results. Look forward to learning about:

• Security programs metrics/reporting: What’s working, what’s not? 
• Automation: CISOs focus on automation, orchestration to manage point solution sprawl to improve security program maturity.
• Top Risks/Controls: CISOs remain focused on the basics – malware and data breaches.
• Data-centric to address BYOD/Cloud: As IT hands off control, CISOs focus on the data.

Bill Burns is an executive-in-residence at Scale Venture Partners. Elden Nelson is the editor-in-chief at Wisegate.