Mobile security has been the top technology concern, with more than half of security leaders ranking it as a major technology challenge over the next two years. According to IBM CISO study, mobile security continues to receive significant attention: out of 14 different technology areas, it ranked as both the most important and the most deployed over the last 12 months. Although mobile is top of mind and backed by investment, capabilities are still maturing.
Today, mobile security is at a foundational stage of development. The most frequently deployed practices are equipping devices with a mobile device management function (78 per cent) and inventorying devices that use the corporate network or data (76 per cent) typical first steps when securely establishing mobile within an enterprise
The primary mobile challenge for security leaders is to advance beyond the initial steps and think less about technology and more about policy and strategy. For most of those interviewed, a comprehensive mobile policy and strategy for personal devices is not yet widely used or considered important. Less than 40 per cent of organizations have deployed specific response policies for personally owned devices or an enterprise strategy for bring-your-own-device (BYOD), and very few consider these actions to be most important.
However, security leaders are acknowledging and addressing this gap. Establishing an enterprise strategy for BYOD (39 per cent) and an incident response policy for personally owned devices (27 per cent) are the top two planned areas of development for the next 12 months.
Measurement: Creating the right feedback loop
Today, security leaders use metrics mainly to guide budgeting and to make the case for new technology investment. In some cases, they use measurements to help develop strategic priorities for the security organization. In general, however, technical and business metrics are still focused on operational issues. For example, over 90 per cent of interviewees track security incidents, lost or stolen records, data or devices, and audit and compliance status fundamental dimensions you would expect all security leaders to track. Far fewer respondents (12 per cent) are feeding business and security measures into their enterprise risk process, even though security leaders say the impact of security on overall enterprise risk is their most important success factor.
Measurement challenge: Translating security metrics into the language of the business
This gap between the perceived importance of feeding metrics into enterprise risk processes and actually doing so reflects the challenge CISOs and security leaders are facing. In the 2012 CISO Assessment, it was found that more mature security leaders measure more things, more frequently (such as, education and training, risk, and so on). But what should be done with the information, how should it get communicated to the business to spur action?
Add new comment