CSO - Security is very old in most respects, yet very young in others. As a corporate discipline, security unfortunately languished for years in the basement.
Today, as organizations come to grips with a wide swath of risks, the 2010 State of the CSO survey shows those organizations are rapidly adopting more sophisticated view of security. Of course, there's more work to be done--most prominently in the areas of security metrics and awareness programs.
Let's look at the numbers.
[ Find State of the CSO survey results from 2009 and 2008. ]
1. How well does each statement describe your organization? (Percent who agree or strongly agree with each statement.)
| 2004 | 2010 | |
| Senior management has established a security policy and auditing process | 23% | 81% |
| Senior management views the security leader's role as strategic and permanent | 17% | 72% |
| Security is viewed as essential to business as opposed to an overhead cost | 25% | 66% |
| Security considerations are a routine part of your company's business processes | 28% | 63% |
| All employees receive training in all security policies | 38% | 78% |
| All employees know the sanctions and consequences of a security policy breach | 42% | 63% |
| All managers in the organization understand their roles and responsibilities in regards to security | 45% | 44% |
| All employees consider security to be part of their everyday responsibilities | 38% | 40% |
Take a moment to reflect on the enormous progress reflected in the chart above.
Six years ago, respondents reported a generally low regard for security risk management within their companies. Policies were not defined. Security leaders were sidelined. Training was minimal.
Today's scenario is different on almost every score; 2010 respondents indicate that security programs are well established in most companies, including policies, personnel and training.
Other than Internet marketing, has any other corporate discipline enjoyed such a rapid and widespread rise in credibility during the same decade? At the risk of falling into a cheerleader role, this is worth noting and celebrating. Current events have clearly been a huge driving factor, but today's security leaders still deserve a pat on the back for helping craft the right organizational response to today's threats.
These 2010 numbers aren't a fluke. Progress in each area has been steadily upward over the years.
Having said that, those upward trends highlight the lack of progress in the bottom two issues. (See next chart for more detail.)
2. How well does each statement describe your organization? (Percent who agree or strongly agree with each statement. A breakout of 2010 data from chart 1 above, by company size)
| At big companies | At small companies | |
| All managers in the organization understand their roles and responsibilities in regards to security | 39% | 53% |
| All employees consider security to be part of their everyday responsibilities | 33% | 44% |
This chart digs into a bit more detail on the two lagging issues noted in the first chart. In most awareness issues, big companies tend to score better than small companies. In these two, however--where overall progress is lacking--smaller companies actually report higher scores than their larger brethren.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
