Report says C-level execs more involved with security

The major data breaches that have received mass media coverage are driving so-called "C-level" executives to become actively involved in their organization's security policies, according to a new report from the (ISC)2.

There are several key "take-aways" from the report, titled "2008 (ISC)2 Global Information Security Workforce" and authored by Rob Ayoub, Frost & Sullivan's network security industry manager.

Ayoub told SCMagazineUS.com that these include the fact that C-level executives are paying attention to security, the overall optimism of security professionals is increaing and organizations are focusing more on business continuity and disaster recovery.

"CEOs are asking their security professionals important questions about how they're prepared to not become another TJX," Ayoub explained. "We've heard a lot in the past about upper management taking a role in security; this time it is validated."

Nearly three-quarters (73 percent) of the survey of 7,548 security professionals reported that they're concerned about the impact of service downtime and damage to the organization's reputation.

"Public reputation was very important, and these are issues we haven't seen concern in before," Ayoub said.

“The study confirms for me that security is becoming a broader issue and is moving up the stack into the priorities of business folks as well,” Howard A. Schmidt, the ISC2's security strategist, told SCMagazineUS.com. “Executives are seeing that breaches can have far-reaching consequences throughout their business, impacting corporate reputation, the privacy of customer data, identity theft and of course legal and regulatory compliance.”

In addition, 70 percent said customer issues related to privacy violations were high priority, as were customer identity theft issues (67 percent). Other top-of-mind issues included concern about viruses and worms and insider threats.

The top five new security technologies enterprises are deploying now are biometrics, wireless, disaster recovery, intrusion prevention and cryptography, the report indicated. Ayoub said he was surprised that disaster recovery climbed into the “top five” realm this year.

Disaster recovery has become a key issue "because companies rely so heavily on the internet for employee communications and to react with customers,” Ayoub said. “They realize they need to have a solid disaster-recovery plan."

"Public incidents are driving an awareness in disaster-recovery technologies," he added. "Company executives are seeing events on the news and want to know how they're prepared to deal with a fire or a hurricane."

Ayoub also said the report indicated companies planned to spend more money on security training, and that security professionals are "optimistic" about their job.

All this points to the conclusion that more C-level executives are "showing actual concern about what their security professionals are doing and not just paying lip service," Ayoub said.