While cloud and mobile remain important within many organisations, foundational technologies that CISOs are focusing on include identity and access management (51 percent), network intrusion prevention and vulnerability scanning (39 percent) and database security (32 percent).
The primary mobile challenge for security leaders is to advance beyond the initial steps and think less about technology and more about policy and strategy. The report also shows that less than 40 percent of organisations have deployed specific response policies for personally owned devices or an enterprise strategy for bring-your-own-device (BYOD).
However, this gap is being recognised, establishing an enterprise strategy for BYOD (39 percent) and an incident response policy of personally owned devices (27 percent) are the two top planned areas for development for the next 12 months.
Security leaders use metrics mainly to guide budgeting and to make the case for new technology investment. In some cases, they use measurements to help develop strategic priorities for the security organisation. In general, however, technical and business metrics are still focused on operational issues. For example, over 90 percent of interviewees track the number of security incidents, lost or stolen records, data or devices, and audit and compliance status—fundamental dimensions one would expect security leaders to track.
Only 12 percent of respondents are feeding business and security measures into their enterprise risk process even though security leaders say the impact of security on overall enterprise risk is their most important success factor.
"It's evident in this study that security leaders need to focus on finding the delicate balance between developing a strong, holistic security and risk management strategy, while implementing more advanced and strategic capabilities—such as mobility and BYOD," said David Jarvis, author of the report and manager at the IBM Center for Applied Insights.
The full study is available here.
Sign up for CIO Asia eNewsletters.