Today, we released our CISO Benchmark Study, an annual global survey of information security leaders working at organizations of all sizes and in all industries all over the world. With over 3200 respondents across 18 countries, the study offers a solid view of what’s on the minds and to-do lists of those on the front lines of Infosec worldwide.
This year’s study focused on getting “ready for the unknowns” that exist outside and inside all organizations. Our lines of inquiry explored how respondents set themselves up for success, how they approach vendor/solution selection and alert management, and how they manage breach readiness and response. The findings shed light on actions that are delivering results when it comes to strengthening organizational cyber health, allowing CISOs and other security leaders to learn from their peers.
The Good News
A very interesting and positive finding revealed the benefits of collaboration between the networking and security teams. There was a strong correlation between those who were extremely collaborative and the total cost of their most impactful breach, which was below $100,000―the lowest category of a breach cost. This could suggest an easy way for companies to reap real benefits―by creating culture and processes where teams are aligned on the same outcomes to reduce the silos between these groups.
We also saw notable confidence in cloud-delivered security and in securing the cloud. Ninety three percent of CISOs reported that migrating to the cloud increased efficiency and effectiveness for their teams.
The survey showed the use of risk assessments and risk metrics that span across the business, in part due to cyber insurance, playing a more important role in technology selection and helping CISOs focus on their operational practices. Forty percent of respondents are using cyber insurance, at least in part, to set their budgets.
Measuring outcomes against investments is the best data-driven approach to budgeting. However, controlling security spending based on previous years’ budgets and percent of revenue were both popular choices, but they do not necessarily correlate with better security.
Opportunities for Improvement
Employees/users continue to be one of the greatest protection challenges for CISOs. Sadly, only 51 percent of survey respondents feel they are doing an excellent job of managing employee security. Risky user behavior (e.g. clicking on malicious links in email or websites) remains high and is one of the top CISO concerns. Having an organizational process that starts with security awareness training on day one is essential and should be part of any organization’s culture.
There are proven processes that organizations can employ to reduce their exposure and extent of breaches. Have a plan, test the plan and prepare with drills. Each party – Security, IT, Incident Response, Legal, PR, and Management should all know what role they play and practice it. No plan or drill is perfect, and during a real, dynamic situation, practice allows you to adjust in a predicable way that doesn’t surprise the team and ensures the incident has minimal impact. Bad things will happen, how you respond is the difference from it being a non-event and a headline.
And, it’s no surprise that alert management continues to pose challenges. That’s often because organizations are using multiple disparate security products that don’t share alert data or help prioritize alerts via limited dashboards. This is an area where AI and automation could greatly help. Although vendor consolidation is occurring slowly, there is still a long way to go. Reducing the number of security vendors also helps teams focus on more important work like remediation.
The study offers insights on several other key issues: technology infrastructure refresh, architectural approach and more. We invite you to download the report to read the full details.
It’s compelling for me as a CISO to see these findings. In my own role, I experience the benefits of collaboration and of setting metrics and target outcomes to help plan, budget and better manage risk for our company.
By integrating security and trust across the network, cloud, internet, email and endpoints, Cisco is proud to provide a cohesive set of solutions to comprehensively help security professionals detect and protect their entire enterprise. We’ll keep exploring the latest trends and developments that are challenging security professionals, so we can continue improving our solutions to address tomorrow’s security needs.
For more information, and to access our entire Cybersecurity Report Series of research-based, data-driven reports, visit https://www.cisco.com/go/securityreports.
INTERPOL-DIVISION.
Its a shame the report is of "organisations of all sizes and all industries" as that is precisely what benchmarking aims to avoid.
To benchmark, industry and organisation size a key.
Grouping in a 2 man recruitment firm with a 50,000 person military contractor just results in meaningless statistics that really cant be used for any form of benchmarking by a CISO worth their salt.
How important is it to be asked to join the Cisco Price List in terms of financial success ?