David Jarvis

As security leaders continue to have a growing influence at the C-suite executives and boards of directors, they need to overcome communication challenges, says IBM's David Jarvis.

The good news: Security leaders generally have good working relationships with their boards and top executives, says Jarvis, manager at the IBM Center for Applied Insights, who discusses the results of an international study of chief information security officers.

"They communicate with them regularly, on average once a quarter," Jarvis says in an interview with Information Security Media Group [transcript below]. "They talk about risk. They talk about budget with them."

But where CISOs can continue to improve is in how they communicate with the C-suite, he says.

"CISOs have to do a really good job getting past the technical jargon and language, even though they really have to be expert in those area," Jarvis says. "We can't forget technology when we talk about risk. But [CISOs] have to wear the second hat and be business-savvy to be able to communicate those complex, technical security problems."

Another challenge for CISOs is to address deftly the different security concerns of each senior executive, Jarvis says.

"A CEO might be worried more about customer trust or the overall perception of the business," he says. "CFOs are going to be worried about financial loss due to some sort of security incident or breach. COOs are going to worry about operational downtime if the website goes down."

Those different worries present a real hurdle for security leaders, Jarvis says, because they must figure out how to "address those diverse business concerns, how to do that well and how to build that trust and have that communication."

Among the main findings of the study:

Nearly 70 percent of security leaders surveyed say they develop their security strategy in conjunction with other business strategies; 80 percent say they're aware of the security concerns of the CEO; 71 percent track the impact of security to the overall risk to their organization; and 30 percent plan to develop an enterprise strategy for bring your own mobile device and 29 percent have already done so.

Jarvis was named in September as manager at the IBM Center for Applied Insights, which conducts research and provides analysis of new ways to provide leadership on implementing IT and IT security. He previously worked at the center for three years, leading a number of research projects on the roles of CISOs and chief information officers. He is an adjunct faculty member in the Business Studies and Economics department at Salve Regina University in Newport, R.I.

Assessing CISOs

ERIC CHABROW: Take a few moments to summarize the main findings of your study.

DAVID JARVIS: This is our second CISO assessment. We did our first one last year and it came out last May. In that assessment, we looked at categorizing and describing different maturity levels for security leaders. This year, we wanted to go deeper and understand practices and what the mature security leaders are doing to make themselves more successful.

We looked at three different areas: business practices, technology and measurement. From a business practice standpoint, we heard from the interviews that we did as part of the assessment that a strong strategy and policy is extremely important, [along with] comprehensive risk management, really good business relations focusing on building trust and building relationships, and then good communications. That came up again and again. We asked people what advice you would give new security leaders or new CISOs. What have you done that has made yourself successful? But there are also business talents there as well. We asked them in their dealings with their board and their C-suite what they were worried about. The good news is that a lot of those security leaders we talked to have good relationships with their board and with their C-suite. They communicate with them regularly, on average, once a quarter. They talk about risk. They talk about the budget with them.