Rob Whiteley

If you’ve been reading the blog, you’ll notice that “shift” is a common theme here with the Security & Risk team. We believe 2010 represents a shift in how CISOs will support their businesses. Today, I wanted to write about how we drew some of these conclusions. This last summer, Forrester conducted a series of in-depth interviews of the various roles we serve. For me, that entailed 30 interviews with various security and risk executives. The goal was to better understand information security and risk priorities and how we can better meet those needs. I must say, it was unlike any research project I’ve undertaken at Forrester. Sure, we asked the normal questions like “What is your role and responsibilities?” and “What are your top priorities?” But I also had the chance to answer very atypical questions like “Who do you turn to for trusted advice?” and “What sources of information do you find most valuable.?”

As a result, we’ll be changing our research heading into 2010. We learned that:

  • Regulations and culture matter most. We hypothesized that CISOs would care most about advice and research based on their industry, size, and geography. Ends up we were wrong. Regulatory environments and the “security culture” are the most important dimensions. Put another way, I can best tailor advice for your security program by asking “Are you in a heavily regulated industry? And is security a part of the corporate culture?” What to expect in 2010: This will be something that we bake into the DNA of our research. Every Forrester document comes with a series of recommendations, but now we plan to tune that advice to your regulatory and cultural environments.
  • Security and risk practices are at a clear inflection point. Most interviewees told us they were struggling to keep up with changing business requirements. Historically, security teams held the “veto” card and could stop activities that compromised the company’s security posture. However, moving forward these execs indicated security must be seen as an enabler. CISOs must find a way for companies to embrace things like social media and consumer devices while assuring the business that it’s being done securely. We think this is an important trend as companies migrate from IT to BT, or business technology. What to expect in 2010: We’ve already introduced the first in a series that we call the “CISO Handbook.” Moving forward, we’ll build on this and provide a series of documents to emphasize the security and risk aspects of the IT to BT transformation. Each doc is a chapter in the playbook of how CISOs must evolve.
  • Security execs turn to peer advice for “benchmarking.” Security execs — despite the reputation of being secretive — actually turn to trusted peer communities as a source of best practices and peer benchmarking. Why? Because security is extremely difficult to quantify. Thus, it’s most valuable to understand how much time and energy your peers are spending in order to convince the business that your security program has the proper budget. What to expect in 2010: We’re working on building out our community platform, which has already been successfully implemented for the Security & Risk Leadership Board. We’re also looking to partner with some SaaS providers so that we can implement a benchmarking engine and dashboard that immediately compares you to peers most like you.
  • Research must be directed at specific security and risk audiences. To date, we’ve written to a generic security and risk audience. But it ends up that security and risk professionals fall into four basic segments: security operations, security architects, security strategists, and business liaisons. Of all of these audiences, we found architects and strategists to be the most veracious consumers of third-party advice and market research. What to expect in 2010: We’ll explicitly identify the “altitude” of our research and make sure that we map topics back to these segments (see figure below). For example, we’ll clarify if we’re offering best practices for a security strategist who is looking to craft policy and educate users versus a security architect building a blueprint for technical controls. 
  • We need more maturity models, policy templates, and other practical tools. And finally, we heard many of the interviewees asking for tools that can implemented directly into security planning and processes. Today we provide strategy and planning tools with the TechRadar and vendor selection tools with the Wave, but security and risk execs also need help with assessing maturing and quickly rolling out new policies. What to expect in 2010: Two things: 1) We’re already underway with research on assessing the many security and risk maturity models already available. Our goal is not to reinvent the wheel, but rather publish a quick self-assessment tool and revamp our information security and risk framework tool for more detailed assessments. And 2) We’ll also be creating ready-made security policy templates for emerging challenges like social media, iPhones and other smartphones, and employee-owned PCs in the workplace.

Picture 3

Although we wrapped up this research in September, it’s an ongoing effort. I’ve continued the dialog with dozens of additional information security and risk management execs — and now I want to hear from you. Are the changes above valuable? What else do you want to see from the Security & Risk team here at Forrester?

[Posted by Rob Whiteley]