2 minutes on... CISO: The balancing act?

Security demands
Security demands

The latest Annual Security Report from Cisco shows that while 91 percent of the 1,700 respondents (from the UK and eight other countries) are confident in their IT security, only half are carrying out standard practices such as vulnerability scanning, patch management and pen-testing. Only 10 percent say they are using the most recent version of Internet Explorer.

If that infers there is a gap between security in theory and reality, then that may well be better illustrated by the apparent disconnect between CISOs and security operations managers.

Approximately 62 percent of CISOs agreed with the statement that their company's security processes were ‘clear and defined', compared to 48 percent of SecOps managers, while 59 percent of CISOs believed their security technologies were ‘optimised', a view only shared by 46 percent of SecOps managers.

“It's likely due to the fact that CISOs are more removed from day-to-day security activities, whereas SecOps staff are working closely to resolve both major and minor security incidents. A CISO of a very large organisation might not realise that a thousand machines are infected by malware in a typical day, whereas the SecOps manager would have devoted much more time to mitigating the infection, hence his or her less optimistic outlook on organisational security,” reads the report.

“In addition, CISOs may be setting policies, such as blocking access to social media, giving the illusion of tighter, more impenetrable security defences.”

The report further notes that while confidence in security policies is high among CISOs and security teams, there is ‘markedly less' confidence in their company's ability to spot and contain an attack.

Sophos global head of research and SANS instructor James Lyne told SCMagazineUK that CISOs are in an unenviable position.

“It's a real challenge for a chief information security officer. This explosion of technology, and the demand for businesses to adopt, makes it's harder for a CISO to get in the ebb and flow of good decision making about technology."

Lyne added that this was further complicated by the promotion of CISOs within business, which would mean learning new skills, such as becoming a risk manager. “You've kind of got to be all things to all people,” she said.