Monday, May 7, 2012

IBM CISO Study as Predictor of Future Electric Sector Cyber-Security

IBM recently interviewed security leaders in a bunch of companies, recorded their responses, and teased out findings that I think you'll find interesting.

Respondents ultimately fell into one of three categories: Influencers, Protectors and Responders. I can't say how many electric sector professionals were queried, but there's a callout box featuring an anonymous VP of IT who is quoted as saying:
Security leaders are becoming more closely integrated into the business – and more independent of information technology.
Right on, and from my interactions with the community, that statement holds true for a small but growing number of utilities.

In the survey, you'll note that the more advanced companies, those with security leaders labeled "Influencers," score highest in the following categories:
  • Dedicated CISOs
  • Presence of a security/risk committee
  • Security has budget authority
  • Security has increased leadership attention
  • Security is a regular board topic
  • Standardized metrics are used to measure performance
I'll skip over the middle-of-the-pack "Protectors" and take you right to what I think sounds like a characterization of the closest thing to a typical electric sector security lead, a "Responder":
This group remains largely in response mode, working to protect the enterprise and comply with regulations and standards but struggling to make strategic headway. They may not yet have the resources or business influence to drive significant change.
This is where most utilities fall today I think. But there are exceptions to be sure, and, IMHO, over time, more and more utilities will become increasingly pro-active and business-oriented in how they manage cyber security, privacy and compliance matters.

There are a handful of exemplars out there today working hard to define a new way of doing security, and as they move forward, they're creating precedents and models others can adapt and adopt.

I'll conclude with the report's overall cross-industry observations, which appear to support the case above:
  • Business leaders are increasingly concerned with security issues. Nearly two-thirds of security leaders say their senior executives are paying more attention to security today than they were two years ago, due in large part to media attention
  • Security budgets are expected to increase. Two-thirds of security leaders expect spending on information security to rise over the next two years. Of those, almost 90 percent anticipate double-digit growth. One in ten expects increases of 50 percent or more
  • Attention is shifting toward risk management. In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues
Here's a LINK for the report summary landing page which includes a link to reach the full report.

Abstract credit: TomT6788 at