SecureWorld: Larry Ponemon of the Ponemon Institute’s Keynote Address

Online Tech is exhibiting secure and compliant hosting solutions at Detroit SecureWorld 2013, held yesterday and today. In case you missed it, here are some facts from the opening keynote from Dr. Larry Ponemon of the Traverse City-based research firm, The Ponemon Institute:

Facts about IT Security Leaders
Dr. Larry Ponemon
Ponemon Institute:
• Institute dedicated to advancing responsible info management practices.
• Member of CASRO
• Majority of active participants are privacy or InfoSec members

11 myths:

• Many larger sized companies do not have a fully dedicated CISO (Chief Information Security Officer)
• CISO role is complex
• CISO lacks budget authority
• CISO activities are tactical
• They’re advisors
• Have a hard time getting exec buy-in
• They have wanderlust
• Positioned too low in organization
• Cisos feel they are undercompensated

Most reports are 2-3 years old.
40% have fully dedicated CISO
44% don’t have CISO
The rest are part-time

Influence:

• 55% shared influence and control.
• 22% central influence and control
• Can’t call the shots directly.
• How is Influence and control divided?
• 41% geography
• 30% line of business
• 14% functional areas

Budget authority:

• 28% full ownership
• 43% partial ownership (Opx only)
• 6% partial ownership (capx only)
• 23% no authority
• Most large-sized companies have around $2-4 Million

Chain of command – Report to:

• CIO (56%)
• CFO (15%)

If you’re doing your job as a CISO, sometimes you’re going to be reporting about will be in the IT department, or even the CIO. You don’t want to report to the CIO, who could potentially censor that information as it heads farther up the chain.

In general, we see this issue creates some sticky issues.
How many steps between CEO and CISO:

• 45% 3 steps
• 37% more than 3 steps

Number of people report to CISO:
Average is 3-6. Most CISOs are advisors, they don’t need a huge staff. It can be a problem when something needs to be implemented but you aren’t a priority to the staff

How do you measure effectiveness:
If you boil the ocean, you really only have two measurements (external and internal) –

• 36% none
• 30% mostly internal (softer metric, things like training)
• 12% mostly external
• 22% combo of both

Rank of critical success factors:

• Adequate funding
• Preparedness
• Support structures
• Leadership
• Organizational structure
• Domain expertise or knowledge
• Agility (weirdly ranked low comparatively)

What is CISO’s reporting structure:

• 53% direct line
• 31% direct plus 1 indirect line
• 9% direct plus 2 indirect lines
• 7% only indirect lines

Gender differences:
89% male!
11% female
In privacy, women are more likely to be CPOs than CISOs

CISO tenure:
Average 2.1 years
51% less than 2 years
Why? There’s so much demand that they can jump from job to job. The other likely reason is that when something goes wrong, someone needs to be blamed, and that someone is the CISO.

CISO equivalent job titles:
Chief Security Officer
SVP Information/data security

Rationale for establishing CISO function:

• 52% ex-post response to a security incident or breach.
• 21% ex-post response to compliance and regulatory snafus.

CISO attitudes about present role:

• 33% good job but not the best
• 32% bad job but not the worst
• 24% worst job I ever had
• 11% best job I ever had

How difficult?

• 43% 9-10 difficult
• 26% 7-8 difficult
• 26% 5-6

CISO background:

• 34% tech background
• 20% law enforcement
• 16% military

How do CISOs spend their time?
Monitoring and audit (23%)
Policy enforcement (16)
Suggests CISOs are more tactical than strategic – if you don’t have the relationship between IT ops, you’re not going to get anything done.

CISO role described as Consultant (40%)

• Influencer (23%)
• Barriers to CISOs success:
• Lack of adequate funding (56%)
• IT complexity (42%)
• Lack of qualified personnel (41)
• Greatest accomplishment:
• Solved a crime (33%)
• Stopped a crime (32%)
• Identified system vulnerability (19%)

Does CISO report to board?

• 33% no reporting
• 30% informal and event driven
• 20% formal, regular intervals

A lot of CISOs like to roll up their shirt sleeves and don’t delegate well, but when you have Chief in your title, you have to back up and learn to delegate more. That’s a common trait you see throughout security. So now you’re a chief, how do you delegate that? It’s a big problem, and a common problem throughout the industry.