CISOs: The Good, The Bad & The Ugly - CDM Media...CISOs: The Good, The Bad & The Ugly Ponemon Benchmarks & Factoids CISO Summit Keynote by Dr. Larry Ponemon Scottsdale, AZ December

CISOs: The Good, The Bad & The UglyPonemon Benchmarks & Factoids

CISO Summit

Keynote by Dr. Larry Ponemon

Scottsdale, AZ

December 4, 2013

Ponemon Institute LLC

The Institute is dedicated to advancing responsible information management

practices that positively affect privacy and data protection in business and

government.

The Institute conducts independent research, educates leaders from the private

and public sectors and verifies the privacy and data protection practices of

organizations.

Ponemon Institute is a full member of CASRO (Council of American Survey

Research organizations). Dr. Ponemon serves as CASRO’s chairman of

Government & Public Affairs Committee of the Board.

The Institute has assembled more than 65+ leading multinational corporations

called the RIM Council, which focuses the development and execution of ethical

principles for the collection and use of personal data about people and

households.

The majority of active participants are privacy or information security leaders.

11/26/2013 2Ponemon Institute: Private and Confidential

Facts and Factoids11 Myths about CISOs

• Many larger-sized companies do not have a fully dedicated CISO

• The CISO role is fairly complex

• Most CISOs lack the budget and budget authority to get the job done right

• CISO activities are more tactical than strategic

• CISOs are advisors/consultants, not the decision maker

• CISOs have a hard time getting executive buy-in

• CISOs have a hard time keeping their jobs (or wanderlust)

• Many CISOs are positioned too low in the organization to be effective

• Many CISOs feel they are under compensated

• CISO authorities and responsibilities are often shared, not owned

• Most CISOs do not enjoy face time with the CEO or Board

11/26/2013 Ponemon Institute: Private and Confidential 3

Source of CISO Factoids

• Factoids are derived from various survey or benchmark studies focused on

IT or “cyber” security roles conducted over the past few years

• Meta analysis was performed on as much as 34 studies involving larger-

sized organizations to capture certain facts

• Participants (respondents) included IT and IT security practitioners ranging

in position from technician or staff-level personnel to senior executives. The

largest sample segments included respondents at the director, manager or

supervisory-levels

• Meta samples included more than 30 industry segments. The largest

segments typically included financial services, public sector (government),

services (including IT and professional services) and retail

• While a majority of respondents are located in the United States, several

studies included individuals in more than 29 countries (representing all

major economic regions)


CISO attitudes about their present role


11%

33%

32%

24%

Best job I ever had

A good job but not the best

A bad job but not the worst

Worst job I ever had

Study of companies with 1,000 or more employees

How many companies have a CISO (or

equivalent title?)


40%

16%

44%

Fully dedicated

Partially dedicated

None


CISO’s influence and control


55%

22%

17%

6%

Shared influence and control

Central influence and control

Central influence, shared control

Shared influence, central control


How is influence & control shared or

divided?


41%

30%

14%

8%

7%

Geography

Line of business

Functional areas

Data centers

Other

Shared by:


The CISO’s budget authority


28%

43%

6%

23%

Full ownership (Capx and Opx)

Partial ownership (Opx only)

Partial ownership (Capx only)

No authority


CISO discretionary budget per annum



9%

14%

18%

20%

19%

10%

10%

0% 5% 10% 15% 20% 25%

< $1,000,000

$1,000,000 to $2,000,000

$2,000,001 to $3,000,000

$3,000,001 to $4,000,000

$4,000,001 to $5,000,000

$5,000,001 to $10,000,000

> $10,000,000

CISO’s chain of command


1%

1%

2%

2%

2%

3%

3%

4%

11%

15%

56%

0% 10% 20% 30% 40% 50% 60%

CEO

Internal audit

COO

Compliance

Data center management

CTO

CSO

Business unit

Risk management

CFO

CIO


CISO – steps below the CEO


2%

16%

45%

23%

12%

2%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

1 step 2 steps 3 steps 4 steps 5 steps > 5 steps


CISO – Number of CISO’s direct reports or

“span of control”


13%

11%

30%

27%

10%

5%4%

0%

5%

10%

15%

20%

25%

30%

35%

0 (none) 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 > 10


Metrics used to determine the success or

failure of the CISO organization


36%

30%

12%

22%

None

Mostly internal

Mostly external

Combination of internaland external


Examples:

Internal - number of users who

receive security training

External - number of data breaches

of 1,000 or more confidential records

Average rank of seven critical success

factors for CISOs


6.55

5.81

4.22

3.88

2.90

2.41

1.89

- 1.00 2.00 3.00 4.00 5.00 6.00 7.00

Agility

Domain expertise or knowledge

Organizational culture

Leadership

Support structures

Preparedness (readiness)

Adequate funding

1 = Most important to 7 = Least important


What is the total FTE headcount of the

CISO organization?Direct and indirect headcount, combined


5%

15%

23%

39%

10%8%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

0 (none) 1 to 5 6 to 10 11 to 15 16 to 20 > 20


What best describes the CISO’s reporting

structure?


53%

31%

9%

7%

Direct line only

Direct plus one indirect line

Direct plus two or more indirect lines

Only indirect lines (fuzzy)


CISO – Gender differences


89%

11%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Male Female


CISO – Years of relevant experience


8%

25%

28%

19%

22%

0% 5% 10% 15% 20% 25% 30%

< 5 years

5 to 10 years

11 to 15 years

16 to 20 years

> 20 years


CISO tenure (average 2.1 years)


51%

31%

10%

5%

3%

0% 10% 20% 30% 40% 50% 60%

< 2 years

2 to 3 years

4 to 5 years

6 to 10 years

> 10 years


CISO-Equivalent job titles


1%

1%

1%

1%

1%

1%

1%

2%

2%

2%

2%

5%

12%

13%

14%

41%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Director information audit

Managing director information/data security

Chief security scientist

Chief security strategist

Chief security technology officer

Director intellectual property management

Director security risk management

Executive director information/data security

Chief security architect

Chief security engineer

Director information risk management

EVP information/data security

Director information/data security

VP information/data security

SVP information/data security

Chief security officer


Primary rationale for establishing the

CISO function


52%

21%

12%

8%5% Ex-post response to a security

incident or breach

Ex-post response to complianceand regulatory snafus

To keep pace with othercompanies

In response to liability andexposure

To preserve reputation


How difficult is the CISO’s job?Rating on a 1 to 10 scale


2% 3%

26% 26%

43%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

1 to 2 (easy) 3 to 4 5 to 6 7 to 8 9 to 10 (difficult)

Relative to other C-level executives, are

CISO’s fairly compensated?


39%

50%

11%

0% 10% 20% 30% 40% 50% 60%

Below other C-level executives (unfair)

Equivalent to other C-level executives (fair)

Above other C-level executives (generous)


CISO’s base annual compensation (US dollars)

Salary information about 133 actual CISOs


17%

46%

15%

20%

2%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

$200 to 300k $301 to 400k $401 to 500k $501 to 1 million > $1 million

See SecureWorld & Ponemon’s newest benchmark study

CISO-relevant backgrounds


2%

4%

5%

5%

14%

16%

20%

34%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Other

Audit/finance

Homeland security

Compliance/legal

Intelligence

Military

Law enforcement

MIS, computer sciences


How CISOs spend their time (100 points)


1

1

2

2

2

4

5

5

6

10

11

12

16

23

0 5 10 15 20 25

Corporate communications

Strategy setting

Policy development

Education and awareness

Recruitment

Procurement

Planning

Readiness testing

General management

Risk assessment

Business continuity management

Incident management

Policy enforcement

Monitoring and audit


Essential dotted line relationships with

the CISO role


4%

8%

16%

21%

28%

36%

39%

55%

78%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Corporate finance

Internal audit

Human resources

Enterprise risk management

Privacy office

Business continuity management

Corporate compliance

Data center management

IT operations


The CISO role is best described as . . .


5%

11%

21%

23%

40%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Combination of the above

Advocate

Controller/decision maker

Influencer

Consultant


What CISOs think – Who are their heroes?


1%

2%

2%

5%

12%

15%

15%

23%

25%

0% 5% 10% 15% 20% 25% 30%

Inventor/scientist

Social advocate

Government leader

Religious figure

Famous celebrity

Cartoon character

Business founder/entrepreneur

Military leader

Sports figure


Barriers to the CISO’s success


16%

18%

20%

23%

25%

26%

33%

41%

42%

56%

0% 10% 20% 30% 40% 50% 60%

Shadow IT issues

Insecure third-party relationships

Silos and turf issues

Lack of executive buy-in or support

Insufficient technologies and tools

Disruptive technologies

Employee negligence

Lack of qualified personnel

IT complexity

Lack of adequate funding


CISO’s greatest single accomplishment

(on the job)


2%

3%

3%

3%

5%

19%

32%

33%

0% 5% 10% 15% 20% 25% 30% 35%

Obtained recognition

Persuaded management

Educated management/board

Secured funding

Protected colleagues/personnel

Identified system vulnerability

Stopped a crime

Solved a crime


How the CISO reports to the board


5%

12%

20%

30%

33%

0% 5% 10% 15% 20% 25% 30% 35%

Formal, irregular intervals

Informal, at the will of the CEO/board

Formal, regular intervals

Informal, event driven

No reporting occurs


Caveats & Limitations

• Non-response bias: The current findings are based on a Meta sample of survey

returns. We sent surveys to a representative sample of IT and IT security

practitioners, resulting in a large number of usable returned responses. Despite non-

response tests, it is always possible that individuals who did not participate are

substantially different in terms of underlying beliefs from those who completed the

survey.

• Sampling-frame bias: The accuracy is based on contact information and the degree

to which the list is representative of individuals who are IT practitioners who deal with

a wide array of issues. We also acknowledge that responses from paper, interviews

or telephone might result in a different pattern of findings.

• Self-reported results: The quality of survey research is based on the integrity of

confidential responses received from respondents. While certain checks and

balances were incorporated into our survey evaluation process, there is always the

possibility that certain respondents did not provide responses that reflect their true

opinions.


Questions?

Ponemon Institutewww.ponemon.org

Tel: 231.938.9900

Toll Free: 800.887.3118

Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA

[email protected]

Documents

CISOs: The Good, The Bad & The Ugly - CDM Media...CISOs: The Good, The Bad & The Ugly Ponemon Benchmarks & Factoids CISO Summit Keynote by Dr. Larry Ponemon Scottsdale, AZ December