Conference Board
There’s a serious security disconnect going on at our nation’s largest and most vulnerable companies: "The most supportive executives [such as CIOs] were not the most influential, and the most influential executives (senior C-suite managers) were not the most supportive." That’s the key finding from a new Conference Board report on security entitled “Navigating Risk—The Business Case for Security.”

The study measures the influence of security managers among senior executives; the Board surveyed 213 senior corporate executives not specifically responsible for security or risk matters and not CIOs, at companies at especially high risk: “critical infrastructure industries (including energy and utilities, chemicals, and transportation), large corporations, multinationals with global operations, and publicly-traded companies.”

The study found:

there is a strong disconnect between the level of support for security
initiatives and the level of influence over security policy within the companies
surveyed. “Security directors appear to be politically isolated within their
companies,” says Thomas Cavanagh, Senior Research Associate in Global Corporate
Citizenship at The Conference Board and author of the report. “They face a
challenging search for allies when they need to gain support from upper
management for new security initiatives.”

It also found that while security is seen as aligned with operational risk, it’s not viewed as well-aligned with company strategy:

Companies reported less alignment of security with long-range strategic
objectives of the firm. For example, among senior executives, 56% see their
company’s security operation as effectively aligned with the need to keep pace
with competitors, and half of the sample believe security has been effective in
reducing insurance premiums. Much lower proportions saw security as contributing
toward enhancing the value of the brand (44%), managing the supply chain (36%),
or pursuing new business opportunities (35%).” The results “suggest that
security remains a function that is mired in operations in the eyes of senior
executives,” says Cavanagh.”

Measures of the effectiveness of corporate security are less sophisticated than even the measures for IT or HR effectiveness. The focused on how much a problem costs, not on contribution to strategy:
The most helpful measures were the cost of business interruption, (cited by 64%); vulnerability assessments (60%); and benchmarking against industry standards (49%). Another group of helpful metrics was explicitly related to insurance costs, such as the value of facilities (44%), the level of insurance premiums (39%), and the cost of previous security incidents (34%). The choice of metrics varies widely across industries.

Our own security survey has also found that management support for security is a problem (Finding 1.2). But while our survey finds there is a trend toward greater integration of IT security with risk management (Findings 6.1 and 6.2), the Conference Board study suggests that IT security's part in the overall risk picture is not as well-understood or supported as IT executives think. It helps explain why so many IT executives complain that their company takes too tactical an approach to security (Finding 6.3). CIOs can't take support for security for granted. Maybe they should enlist the help of those anxious chief marketing officers who were surveyed in the CMO Council's study on security.