IBM's Center for Applied Insights interviewed more than 130 security leaders around the world for the report, entitled Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment. It found that the executives fell into three categories -- the Influencers, the Protectors, and the Responders.

'Confident and Prepared'

The Influencer-type security executive is identified in the study as being "confident and prepared," influencing business strategy relating to security. According to the study, Influencers' organizations rank highest in key determining factors. These include the likelihood that they have a dedicated CISO, have a security and risk committee, feature information security as a regular board topic, or use a standard set of metrics to measure progress.

David Jarvis, the report's author, said in a statement that the more advanced Influencers represented a new class of CISO leaders "who are developing a strategic voice." He said this maturing of the role is similar to the pattern the evolved the modern CFO position in the 1970s and the CIO in the 1980s, in each case from a technical to a strategic business role.

Protectors are less confident, and, although they prioritize security on a strategic basis, they lack necessary structural elements that exist in Influencers' organizations, since they rank second in the key determining factors, such as the likelihood of having a CISO.

Responders are the least confident, are focused largely on protection and compliance, and they rank third in the determining factors.

While Influencers connect strategy to security, the report described Responders as those who are more concentrated on a tactical focus.

Influencers' Practices

The report recommended that Responders can move beyond this by establishing "a dedicated security leadership role" like a CISO, by assembling a committee to measure progress in battling security risks, and by automating routine processes so that more time can be spent on innovation.

Influencers also are more likely to be focused on improving enterprise communication and collaboration about security, and in providing education to employees. Influencers, which the report sees as the direction for security executives in more advanced organizations, see security as a business imperative, not only a technological one, and they are more likely to use data to drive decision making.

Their metrics include tracking user awareness, the level of employee education, the ability to deal with future threats, and the integration of new technology, all of which contribute to a risk-aware culture in the enterprise.

Organizations with influencers have located control of the information security budget in the hands of either the CIO or the CEO. Less-advanced organizations often do not maintain a dedicated budget line item for security, the report found.

In percentages, 71 percent of the surveyed advanced organizations had budgets dedicated to security, compared with 27 percent of less-advanced ones.