In a recent survey of over 7,000 CEOs, CIOs, CFOs, CISOs and CSOs by Price Waterhouse Coopers, 85 percent of respondents said that they now have a security executive, a Chief Information Security Officer. This number was up from last year, when 56 percent said they had one and in 2006, when it was only 43 percent. This is a trend that is clearly on the rise. Also not surprisingly, IT security spending will remain strong, with 63 percent saying that spending will increase, and only 12 percent planning to decrease it. There is also an interesting discussion on the responsibility of a CISO versus a Chief Risk Officer (CRO) going on in the IT Business Edge Knowledge Network that you should check out.
What is driving organizations to increase budgets and hire security officers? According to PWC, it's an increased risk environment, regulations, and additional industry standards. This boils down to organizations wanting to enhance their risk, regulatory, and compliance positions. Organizations are tired of hearing that they are not compliant or not meeting increasing regulatory requirements. They are under pressure by their board of directors, stockholders, and the users to finally become compliant.
Security positions have existed in organizations in the past typically as a Director of IT Security or even VP of Security. In almost all cases, these positions have reported into the CIO. The new spin here is that now the majority of CISOs hired are reporting into the CEO or the board of directors. Organizations are saying that security is a corporate concern and they are willing to give these security execs the authority and funding to be successful. And if they are successful, then the organization will be successful.