Global CISOs Concerned About Business’ Cybersecurity Readiness

Research by the Ponemon Institute focusing on Chief Information Security Officers (CISO) worldwide has found worrying levels of business readiness for cybersecurity threats.
Drawing on insights from 184 global CISOs, a new F5-comissioned report has highlighted the latest challenges encountered in the increasingly influential role.
“This new research provides a unique view into how CISOs are operating in today’s challenging environment,” said Mike Convertino, CISO, F5 Networks.
“It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. Yet in many organisations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”
Businesses exposed
The Ponemon Institute noted that today’s IT security strategies and tactics are shifting away from a focus on strong perimeters to smart data, networks, devices and applications.
According to 60 per cent of CISOs, material data breaches and cybersecurity exploits are driving change in organisations’ attitudes to security programs. 60 per cent of respondents currently believe security is considered a business priority.
Yet, while awareness levels are clearly growing, the report’s clear message is that there is plenty of room for improvement.
80 per cent of respondents say the Internet of Things (IoT) will cause “significant” or “some change” to their practices and requirements. However, most companies are not hiring or engaging IoT security experts (41 per cent) or purchasing and deploying new security technologies to deal with potential new risks (32 per cent).
Finding the right talent is also a significant hurdle, with 56 per cent struggling to identify and recruit qualified candidates. Almost half of surveyed CISOs branded their staffing as inadequate (42 per cent).
Interestingly, 50 per cent consider computer learning and artificial intelligence important to address staffing shortages. In two years, 70 per cent say these technologies will be important to their IT security functions.
Trouble at the top
60 per cent of CISOs claimed to have a direct channel to the CEO in the event of a serious
security incident. However, only 19 per cent reported all data breaches to the CEO and board of directors. Only 45 per cent have emergency funds to deal with a serious security incident
that may require additional resources. Security program change remains largely reactive, with material data breaches (45 per cent) and cyber security exploits (43 per cent) garnering the most senior executive attention.
The report also found an alarming disconnect between IT and other business departments.
58 per cent of the CISOs’ companies had IT security as a standalone function, meaning most lack an IT security strategy spanning the entire enterprise. Only 22 per cent said security is integrated with other business teams and 45 per cent had security functions without clearly defined lines of responsibility.
Advanced persistent threats (APTs) were ranked the top threat to the security system followed by DDoS, data exfiltration, insecure apps (including SQL injection), credential takeover, malicious
insiders and social engineering.
“Cybersecurity challenges are intensifying worldwide and we need CISOs to step up and be more influential at the top,” added Convertino.
“We also need business-leaders to recognise the growing threat cybersecurity poses in its many shifting forms. The measure of an organisation is how it pre-empts and responds to risk and – more than ever before – CISOs must lead the charge in this respect.”