(ISC)2 issued their Global Information Security Workforce Study during the RSA Conference in February; so when their own Security Congress 2013 event opened in Chicago this fall, they were looking for something fresh to say. The solution was a recut of the original data, focusing solely on the responses from the 1,634 respondents "with security executive titles."
The results in "A View From the Top: The (ISC)2 Global Information Security Workforce Study CXO Report" largely tracked with the broader Global Workforce Study, but did uncover a strange paradox. The top priority or "concern" was application security, but it also ranked as the lowest priority in terms of time spent.
CISOs may not manage or have direct oversight of development teams, 'but they can handle the software security group.'
Gary McGraw, CTO, Cigital
It's a big mismatch, and respondents in this report aren't exactly the slackers in the room. They've been in the security discipline for more than 14 years on average; 12% of them have been at it 25 years or more. They're all C-level, with 57% holding CSO, CISO or CIO titles. They make the big bucks, with a third of them (in the private sector, at least) making in excess of $150,000 per year. But they're not working on application security.
Software security mismatch
One basic attribute that tends to keep CXOs less engaged with development teams, says software security expert Gary McGraw, is that within most organizations, security is one silo, while software development efforts are in another. McGraw, CTO of Washington, D.C.-based Cigital, argues that the solution for getting security concerns addressed is a software security group. CISOs may not manage or have direct oversight of development teams, "but they can handle the software security group," McGraw says, "a specially constructed group that sits between security and development and only focuses on software security."
Every firm involved in the Building Security In Maturity Model has a software security group, according to McGraw: "We're talking about a thousand full-time software security people led by 67 executives who control the work of about a quarter million developers."
As it happens, most of those 67 executives are not CISOs -- 19 are in the CIO reporting structure, 15 within the CTO's organization. Others report to the COO, the General Counsel's office, and the Office of Compliance and Risk Management. One reports directly to the CEO.
But if security groups reported to CISOs,"it would make the data that they're reporting actually make sense,"says McGraw. "It would mean that the top-level guy has maybe 10 things that are really important -- and software security is just as important as the other nine."
With or without a security group, some CISOs say their organizations are on top of application security. Diana-Lynn Contesti, CISO at Luxembourg-based ArcelorMittal and a member of the (ISC)2 board of directors, says that application security has gained top priority at her organization.
That's partly because some of the industrial controls they program come with life-and-death stakes. "When you're in a steel manufacturing environment, you have sheets of steel coming along that are razor thin," she says. "Remember the old 35-millimeter cameras that you'd put film in, and it would shoot along and grab into a spindle? We do that with steel; so we shoot along, it's grabbed onto a spindle and it coils. Can you imagine if that were to just go off the shoot and not spindle properly? It could cost a human life."
And locking things down, Contesti says, means focusing on the applications. "If you talk about a SQL injection, you can only do a SQL injection if my application is not put together properly. So one of our main focuses is trying to train the developers to write secure code.
"We have a Web presence, and we also have a process automation environment," says Contesti. "People think they only have to worry about the Web stuff -- they have to worry about all of their applications. Because what people don't understand is, once I breach your shell, I can go anyplace."
Just the half of it
What other issues are troubling CXOs? In addition to application security (which 72% of respondents said was one of the top or their highest concern), CXOs say their top concerns include mobile devices (70%), malware (68%) and insiders (62%).
Julie Peeler, director of the (ISC)2 Foundation, notes that mobile and BYOD bears some similarity to the software security issue: "They rank BYOD very high, but we know that actual compliance to BYOD policies is very low."
The top things CXOs wanted to avoid included damage to their organizations' reputations (83%), breach of laws and regulations (75%), service downtime (74%) and customer privacy violations (71%).
We have commonality here between the security executives and their rank and file. There are more commonalities than differences, and it's good to see that within the security department, there's a common viewpoint.
Michael Suby, global program director, information security, Frost & Sullivan
CXOs spend their time where you'd probably expect, with GRC activities and security management topping out at 74% apiece as the areas where "significant time" was allocated. Third-place honors in time allocation went to "security leadership," with 63% saying it was a significant time commitment. Interestingly, only about a third (34%) said that researching new technologies was a top time commitment. Software development? Only 7% rated it as an area where they spent "significant time."
Most of this tracks closely to results from the broader industry survey from which this data was winnowed. "We have commonality here between the security executives and their rank and file," says Michael Suby, global program director for information security at Frost & Sullivan, who prepared the report. "There are more commonalities than differences, and it's good to see that within the security department, there's a common viewpoint."
Hiring and spending increases
Ah, and the other thing that the CXO crowd is up to? Hiring. It's higher (72%) among security executives employed in private industry, but still noteworthy (51%) among those employed by the government. All that hiring effort is driven, no doubt, by the fact that a solid majority of respondents say their organizations don't have enough security personnel. Rainer Rehm, information security officer at MAN Munich, who is quoted in the report, noted that getting everything done means that "many more experienced and trained people are needed. But they do not exist and will be difficult to recruit."
Not surprisingly, spending on personnel was seen as likely to increase, but not by as many of the executives as one might expect -- only 35%. Beyond increased spending on employees, 39% of executives predict a spending increase in security hardware and software.
The (ISC)2 survey posed a question about what attributes are important if one wants to be a successful security professional. Project management skills ranked relatively low (with 59% saying it was important or highly important), but communication skills ranked highest, at 93%. Right behind it at 92%: a broad understanding of the security field.
W. Hord Tipton, (ISC)2's executive director, agrees that communication is critical to success, particularly when working with top management. You've got to make the conversation about risk and business objectives, according to Tipton.
"These are things that business executives understand," he says. "You do your homework, get prepared and take the CFO out to lunch every once and a while.
"So I want to be sure that we prepare and educate and train the CISOs in such a manner that they can relate," says Tipton. "And they can get that message passed up to the CIOs, the risk officers, whoever they report to -- people who do have access and can get the message in at the appropriate time."
About the author:
Robert Richardson is the editorial director of TechTarget's Security Media Group. Follow him on Twitter @cryptorobert.