The role of chief information security officer (CISO) has existed for no more than 25 years, and to be clear, most organizations have held this position for much less than this. If there is one thing about this role that anyone can agree on, it’s that change is constant. As the cybersecurity threat landscape complexity evolves more every year, so too does the scope of responsibilities and affiliate challenges associated with this prestigious title, according to Fortinet’s The CISO and Cybersecurity: A Report on Current Priorities and Challenges.
With an expanding scope of responsibilities and challenges, CISOs find themselves under greater pressures than ever before, with 63% of CISOs reporting directly to the Board or CEO. With each passing year, cybersecurity becomes more and more critical to protecting the bottom line at many organizations.
The CISO and Cybersecurity Report is based on a survey conducted in January and February of 2019. The report respondents include those with job titles including CISO, chief security officer (CSO) and VP or IT security within companies with more than 2,500 employees. Industries include, but are not limited to, technology, retail, financial services, and manufacturing. The study utilized collected data to analyze the CISO role, including their key challenges, trends within the industry and finally best practices identified by the most successful. The report’s findings have been summarized here.
According to CISOs: Industry Challenges
Top Industry Challenge: Hackers/Attackers
When asked to list their top three industry challenges driving them to improve and enhance their security posture, almost 50% of CISOs who answered listed hackers or other attackers. As IT security systems and threats become increasingly more complex, CISOs are feeling under threat on multiple fronts. At most organizations today, company’s sensitive data and applications often reside in multiple networks and locations. Often within the result of these various points of reference, IT teams find themselves scrambling to protect different parts of infrastructure and web applications at once, greatly increasing the risk of human error as manual workload increases, inevitably resulting in a compromised security posture. In fact, this brings to light the second most commonly reported challenge of CISOs, and that is strategy.
Top CISO Challenges:
Data loss and privacy (28%)
Cost reduction/avoidance (13%)
Risk management (13%)
Top Challenge Resulting from Increased Attack Surface: Increased Complexity
Surrounding the challenges presented by an expanding attack surface, CISOs declared increased complexity almost twice as often as any other response. Again, this really is no surprise given that the increased complexity of networks is what effectively promotes the expanded attack surface previously mentioned. The sheer volume of company data is increasing at such an accelerated rate, that it is often difficult for many organizations to identify most confidential data, let alone protect it from attackers.
CISO Challenges Resulting from Increased Attack Surface:
Increased complexity (47%)
Increased need for learning and development (27%)
Security tool proliferation (25%)
Risk management (19%)
Top Challenges Resulting from Increased Complexity: Increased Need for Learning and Development
With respect to the way expanding complexity of cybersecurity impacts the CISOs ability to fulfill their obligations, the number one response was an increased need for learning and development. Next on the list was the challenge of risk management. As cybersecurity measures become increasingly complex, defining and reporting risk management measurements becomes evermore daunting. In many cases, this highlights the advantage and value found in hiring a third-party penetration testing firm. Many organizations find their internal cybersecurity teams behind the curve, leaving them vulnerable new attack vectors. In contrast, penetration testing firms must stay current in order to stay in business.
CISO Challenges Resulting from Increased Security Complexity:
Increased need for learning and development (41%)
Risk management (24%)
Increase challenges and job stress (24%)
Security tool proliferation (14%)
Cybersecurity awareness (13%)
Best Practices of Top-Tier Enterprises
Of the mentioned 2500 respondents, survey responses indicated that only 19% of CISOs report zero intrusions in the past year. Below is a summary of some of the “Best Practices” that these “top-tier” respondents were more likely to employ:
Top-tier CISOs are 266% more likely to be dramatically increasing their 2019 security budgets.
Top-tier CISOs are 93% more likely to measure and report vulnerabilities found and blocked.
Top-tier CISOs are 35% more likely to address risk proactively – from detection to remediation.
While it might seem counterintuitive for organizations that have been intrusion-free for over a year to dramatically increase their cybersecurity budgets, the top-tiers CISOs were far more likely to be doing so than the bottom-tier organizations. These individuals understand that an evolving threat landscape requires vigilant, proactive action.
Further, top -tier CISOs were 93% more likely to measure, identify and report vulnerabilities, through the use of inhouse security teams and third-party penetration testing firms. Particularly, for organizations involved in DevOps activities, gathering data about vulnerabilities is critical to business operations, and the organizations bottom line.
Coming full circle, top-tier CISOs are 35% more likely to be proactive in their approach to cybersecurity. The very best CISOs recognize the value, from a risk management perspective, in detecting, identifying and understanding vulnerabilities posed for each type of attack posed by attackers. The take-home lesson here is a proactive approach to risk management, and that requires mandating efficient policies and workflows designated to the security processes of detection, prevention, response, and remediation.
CISOs are playing an increasingly integral role in the success of their organizations, and as a result they have inherited increased responsibilities. CISOs who are experiencing intrusions from cyber attacker can benefit from the best practices of those top-tier CISOs who have seen no intrusions. While the initial investment in cybersecurity testing may be a deterrent for many, it is always more cost effective to be proactive, rather than reactive.