After what many will call the ‘Year of the Data Breach,’ more organizations are embracing the concept of IT risk management as a means of addressing the root cause of the problem. Increasingly, boardroom discussions center on security threats and risk management, as CISOs are asked by the CEO “How secure is our online e-commerce site?” or “Are we at risk of being attacked by threat X or virus Y?” By taking the traditional role and focusing just on technology, CISOs cannot effectively answer these questions.
In 2012, Symantec predicts that a growing number of CISOs will start to look for more effective ways to communicate IT risks to their executive-level stakeholders. The CISO’s role is evolving from being able to respond to security incidents and meet compliance requirements to being able to communicate IT risk in business-relevant terms. Unfortunately, only one in eight CISOs has successfully made this transition today.
Over the next year, we’ll see more CISO’s looking to deliver valuable qualitative and quantitative metrics to help business leaders make more informed decisions around IT risks. The CISOs who deliver this information in terms that executives can understand and act upon will be the ones who succeed in gaining the resources and support needed to effectively manage these IT risks.
For many, 2011 will be recalled as the year of the data breach as companies of all sizes made headlines for losing valuable data. Small businesses were no exception as cyber criminals found SMBs as a new favorite target. Looking forward, the threat landscape won’t be getting any better but Symantec foresees 2012 as a year of action for businesses where they’ll start taking tangible steps to protect their businesses from the threats they face.