Drawing on insights from 184 global CISOs, a new F5-comissioned report has highlighted the latest challenges encountered in the increasingly influential role.
“This new research provides a unique view into how CISOs are operating in today’s challenging environment,” said Mike Convertino, CISO, F5 Networks.
“It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. Yet in many organisations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”
Businesses exposed
The Ponemon Institute noted that today’s IT security strategies and tactics are shifting away from a focus on strong perimeters to smart data, networks, devices and applications.
According to 60 per cent of CISOs, material data breaches and cybersecurity exploits are driving change in organisations’ attitudes to security programs. 60 per cent of respondents currently believe security is considered a business priority.
Yet, while awareness levels are clearly growing, the report’s clear message is that there is plenty of room for improvement.
80 per cent of respondents say the Internet of Things (IoT) will cause “significant” or “some change” to their practices and requirements. However, most companies are not hiring or engaging IoT security experts (41 per cent) or purchasing and deploying new security technologies to deal with potential new risks (32 per cent).
Finding the right talent is also a significant hurdle, with 56 per cent struggling to identify and recruit qualified candidates. Almost half of surveyed CISOs branded their staffing as inadequate (42 per cent).
Interestingly, 50 per cent consider computer learning and artificial intelligence important to address staffing shortages. In two years, 70 per cent say these technologies will be important to their IT security functions.
Trouble at the top
60 per cent of CISOs claimed to have a direct channel to the CEO in the event of a serious security incident. However, only 19 per cent reported all data breaches to the CEO and board of directors. Only 45 per cent have emergency funds to deal with a serious security incident
that may require additional resources.
The report also found an alarming disconnect between IT and other business departments.
58 per cent of the CISOs’ companies had IT security as a standalone function, meaning most lack an IT security strategy spanning the entire enterprise. Only 22 per cent said security is integrated with other business teams and 45 per cent had security functions without clearly defined lines of responsibility. 75 per cent reported that a lack of integration concerning business functions, turf and silo issues exerted a significant influence (36 per cent) or some influence (39 per cent) on IT security tactics and strategies.
Communication is another pressing issue. While 65 per cent of CISOs communicate directly with senior executives, it is rarely to strategically discuss all organisational threats. 46 per cent admitted CEO and board of directors’ communication only happens in the event of material data breaches and material cyber-attacks. Only 19 per cent report all data breaches to the CEO and board of directors.
Security program change remains largely reactive, with material data breaches (45 per cent) and cyber security exploits (43 per cent) garnering the most senior executive attention.
The challenge ahead
Most CISOs agree cybersecurity threats are here to stay. Organisations represented in the study experienced an average of two data breaches in the past 24 months. 83 per cent say the frequency of data breach will increase or stay the same. 87 per cent believe the severity of data breach incidents will increase or stay the same.
On average, respondents also experienced three cyber exploits or attacks in the past 24 months. 89 nine percent of respondents said cyber exploits will increase or stay the same. 91 per cent predicted the severity of cyber exploits or attacks would increase or stay the same.
Advanced persistent threats (APTs) were ranked the top threat to the security system followed by DDoS, data exfiltration, insecure apps (including SQL injection), credential takeover, malicious
insiders and social engineering.
Another major challenge for CISOs are legislative changes, particularly the European Union’s imminent General Data Protection Regulation (GDPR), which affects any company doing business with member states. 72 per cent of respondents agreed that cultural differences among people and business operations around the globe have a direct influence on local security requirements.
“Cybersecurity challenges are intensifying worldwide and we need CISOs to step up and be more influential at the top,” added Convertino.
“We also need business-leaders to recognise the growing threat cybersecurity poses in its many shifting forms. The measure of an organisation is how it pre-empts and responds to risk and – more than ever before – CISOs must lead the charge in this respect.”