With business and technology becoming increasingly intertwined, organizations are being forced to rethink how they look at digital security. Once overlooked or viewed as a mere afterthought, today it has become a business-critical necessity. As a result, organizations across industry lines are racing to improve their security postures. Chief Information Security Officers (CISOs) are at the core of this transformation, spearheading a wave of proactive and future-forward cybersecurity change while enabling security-first innovation.
The latest Information Security Maturity Report 2022 published by ClubCISO, explores the hopes, challenges, opportunities, and frustrations of information security leaders.
Over the years, broader cybersecurity awareness has been growing, with the executives and stakeholders of today focusing on the value of instilling a security-first attitude at all levels. With organizations paying closer attention to their security culture, there has also been a noticeable, positive shift in security culture. Over 65% of the CISOs surveyed this year reported that their organizational security culture was making good progress or was on par with best practices. Leadership endorsement and simulated phishing were found to have been the most beneficial exercises for fostering this positive security culture. Additionally, the 'proactive (report it) no blame' policy – encouraging employees to report errors, such as clicking on a malicious link – has fueled remarkable advancements, incentivizing productive security advancements without hassle.
The pandemic-induced shift to remote/hybrid working has been widely recognized as a landmark event for digital security. As it opened up organizations to a host of new security challenges, the strategic value of the CISO grew. Thus, resulting in CISOs retaining or extending their influence within their organizations. Nearly half of CISOs report that the shift has brought about positive changes to security attitudes as well.
When security leaders were asked about the biggest challenges to achieving their goals, the most notable one was, unsurprisingly, the lack of sufficient staff. It was closely followed by the speed of business change and budgetary concerns.
Of the most important technology topics on the surveyed CISOs’ radar, the top four are cyber resilience, culture, cloud, and Identity and Access Management (IIAM), which echoes past trends. However, it is interesting to note that due to the global conditions this year, geopolitics has become a prominent topic of interest.
In a promising sign of things to come, a majority (67%) of CISOs stated that their organization’s security budget had increased compared to last year. This highlights the fact that organizations are understanding the need to drive significant investments to realize their security goals. Security leaders are also increasingly in control of the deployment of the stipulated funds, empowering them to allocate resources in a manner they see fit.
Similar to the reported lack of sufficient staff, it is also no surprise that many of the surveyed organizations relied extensively on cloud, either in a hybrid or cloud-only configuration. A significant number also reported that their cloud reliance would increase in the coming years. Unfortunately, progress in cloud security has been rather scarce, with maturity levels not keeping up with the pace of evolution.
While it is clear that security decision-makers are keen to regularly reassess and fine-tune their investments to adapt to industry changes, not all areas demand equal focus. IAM and Security Information and Event Management (SIEM) are the most prioritized areas for security investments. While Governance, Risk and Compliance, and Vulnerability management tools trail behind closely.
Reflecting the headway made at ground level, 68% of the surveyed CISOs felt that their organization was able to meet key security objectives, signaling remarkable progress. However, at the board level, executives seem to be mostly concerned about regulatory compliance and maintaining overall maturity. This may be a consequence of the wider push by regulatory bodies due to mounting security and privacy concerns across the globe, and the tendency of boards to focus on maintaining operational ability.
While enterprises have gotten only slightly better at managing third-party risk, overall, risk management programs have matured considerably. Nearly twice as many respondents (35%) reported a “managed” or “optimized” posture compared to the previous year. And CISOs are more confident than ever in their organizational security postures, with a whopping 46% percent of them indicating positively in this regard.
In perhaps what is one of the most important risk indicators, the number of material breach incidents in the past twelve months has dropped dramatically, with over half of the surveyed security leaders reporting that their organization did not face a material breach at all, in the said period. However, among those that did, the most common attack vectors were found to be non-malicious insiders and social engineering attacks. The insidious threat from the malicious insider remains a significant concern.
Most security leaders reported that cyber insurance is a critical part of their overall risk management toolkit. However, despite satisfactory outcomes in nearly all of the claim cases, renewal prices and coverage criteria present serious hindrances to further adoption.
Recent developments in the personnel aspects of cybersecurity paint a multifaceted picture. While organizations still have a long way to go in tackling and managing stress, there have been notable advances in numerous areas. Perhaps most prominently, a sizable majority of CISOs are recruiting from diverse backgrounds to cultivate more-capable and well-rounded teams. And as organizations scramble to attract and retain talent, morale and team-building exercises are taking center stage. Be it offering flexible working hours or creating a great team culture, or even facilitating an open environment, activities catering to the most pressing employee concerns are yielding the most beneficial results.
Simultaneously, the industry-wide shortage of skilled professionals has motivated CISOs to look inwards. Be it supporting apprentices or nurturing talent within existing teams, organizations are investing more in existing personnel. As far as CISOs themselves go, opportunities to influence and drive change as well as being valued by their organization are the most crucial factors in motivating them to stay in their existing jobs. With CISOs being the most important strategic leaders in security, it is no surprise that when talent attraction and retention are concerned, the onus falls on them to build appealing teams while also championing a positive security culture.
With rapidly expanding enterprise perimeters and evolving threat actors, the role and significance of the CISO have grown considerably. In 2022, an overwhelming majority of security leaders believe that they add value to the business, and rightly so. Overall security postures are considerably better this year, and organizations have also gotten better at managing risk. This remarkable progress has only been possible due to the security charge spearheaded by CISOs. But there is still a long way to go as the security gap is alarming in areas such as cloud maturity, internal threats, and third-party risk.
For CISOs to be truly effective, they must help their organizations leverage positive security advancements to realize better business outcomes across the board.
About the Author: Srikar Sai is a technology writer with a background in business. He primarily specializes in breaking down complex cybersecurity topics to the broader business audience and aims to raise awareness about the latest happenings in the digital world. In his work with various IT and cybersecurity companies, he has helped create content across multiple channels. As someone who is deeply passionate about technology, he enjoys learning and writing about how it influences and shapes the world around us.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.