A recent report by market researcher Enterprise Strategy Group (ESG) makes some interesting points about the usefulness of a CISO. The report polled 227 North American security executives in organizations larger than 1,000 employees. Based on the results, ESG concluded that organizations with a CISO are more secure than those that don't have a CISO.
While I would say that the "results"-- and I use that term very loosely here -- are very useful to CISOs in justifying their positions, the reality is this is just another way for the market research firm to create news. Worse yet, it gives companies a false sense of security that a job position somehow makes an organization secure. The real revelation is that organizations with CISOs believe they are more secure, not that they are more secure.
ESG asked security executives whether their security technology was sufficient to protect their organizations. Frankly this is one of the weakest facets of security, as its is much more a process than a technological implementation. The best technologies in the world are pretty useless if they are not implemented properly.
Technologies are like placing bandages on a body when you have no clue as to what is wrong with it. Maybe there is a trivial skin wound, and a bandage is perfect. Maybe, however, you kicked an artery and a bandage is temporarily aesthetic. Maybe there is internal bleeding that you never see, that will leave you dead in minutes, regardless if a bandage is present or not.
If a survey wants to be useful, why don't we see questions that addresses whether or not organizations have the fundamental components of a good security program?
Why doesn't a research firm, for example, ask whether or not organizations have data classification programs in place? Why don't they ask for the resources put into security awareness programs? Why don't they ask about the internal and external monitoring technologies and procedures in place? What about vulnerability management technologies? Is there an incident management process defined and tested?
If an analyst firm or any other company wants to produce useful information instead of press releases, they should start breaking their surveys down to real indicators and ask the respondents if their organization had various components of what is generally considered to be a strong security program. Then they could have determined whether organizations with CISOs had more desirable components.
Ira Winkler is president of the Internet Security Advisors Group. He has over 20 years of experience in the intelligence and security fields, and has worked for the National Security Agency, and consults to a wide variety of Fortune 50 corporations. The author of Spies Among Us, he is an occasional contributor to Security Wire Perspectives.