How would you like to work in an environment where the CXOs all recognize the importance of your job, information security, and are willing to support you? Sounds like an Alfred Hitchcock film -- scary but in a good way. According to results of a survey by InformationWeek, though, executives are all on the same page when it comes to information security. The report, "A Unified Front: Exploring What Executives Really Think of Security," is available with free registration for an unknown limited time (it is currently being underwritten by Symantec, so take advantage of the opportunity). The executive support was surprising to InformationWeek, and I have to admit, to me as well. However, when you think about it, CXOs are tired of being smacked for non-compliance, class action lawsuits and breaches, and it looks like they have learned their lesson, or at least part of it.
The survey included responses from 326 IT decision makers at North American companies with annual revenues ranging from less than $6 million to more than $1 billion.
When asked what priority the respondents placed on information security, 75 percent said that they ranked it as the highest corporate priority. Not only do executives say that information security is important, they put their money where their mouth is; 58 percent of IT directors said that they are adequately funded by executive management.
In my opinion, we need more than executives saying we have their support and funding, although it's a great start. We need IT executives to take an active role in the process. Again, I am surprised 66 percent of respondents said that information security leadership participates in critical business decisions. I still don't feel that this goes far enough. Yes, IT security management has to provide thought leadership, but then they have to become a security evangelist and constantly sell the benefits.
Finally, what would really convince me that executive management supports information security is if they mandate that security is involved early in the idea process. This would allow us to voice concerns, formulate solutions, and react to risks early enough so they have an impact and, I believe, cut down on the reasons why projects are abandoned due to security concerns. The top three information security topics reported to IT executives are status of compliance with government/industry information security mandates, general information status reports, and vulnerability assessment/remediation reports.
The survey went on to cover topics including business and security alignment, business opportunities abandoned due to security risks, top security concerns, and security program effectiveness, to name a few.
With so much depressing news in the security industry today, it's nice to finally see a bright spot. Are you and your executive management team on the same page when it comes to information security?