Cyber Resilience Tops List of Priorities for CISOs

ClubCISO, a global private members forum for information security leaders, powered by Telstra Purple, today unveils the findings from its seventh annual 2020 Information Security Maturity Report. The report, which provides the current view of the security and cyber resilience issues facing businesses across the globe, indicates that new geopolitical risks and the emergence of COVID-19 are testing CISOs.

Despite the added pressure, the report outlines the resilience of CISOs and shows they are making a significant and valuable impact across their organisations – often with the support of business leaders and brilliant new teams.

This year, the research identified cyber resilience as one of the top three hot topics on the CISO radar, along with security culture and cloud security.

Faced with today’s unprecedented challenges, an increasingly fragmented workforce and the constant evolution of geopolitical threats, the security function needs to be increasingly resilient to pressure. Progress is being made in response to this, with 39% of CISOs having implemented a strategic security operating model to embed security awareness within the culture of the organisation and 43% saying they have one in development.

“This year, our ClubCISO Information Security Maturity Report highlights how a robust and resilient security culture is now more important than ever as businesses combat unknown threats in the wake of the pandemic;” comments Dr. Jessica Barker, Chair of ClubCISO.  “It is important to put people at the centre of any response strategy and encourage a positive culture of understanding and awareness around security issues.”

CISOs say they are optimistic about their preparedness for their organisations’ ability to adapt to the current challenges. However, more employees are falling foul of phishing messages as malicious attacks by outsiders continue to target remote workers (40% of material incidents caused by malicious outsiders and 42% by non-malicious insiders as cited by CISOs in the report). To address this, over the next few months security teams will focus on creating a stronger security culture within organisations with awareness training and live-fire training exercises. Whilst nearly all CISOs report they’re working to establish a good security culture, few admit to being at ‘best practice’ stage with fewer than one-half believing their organisations have positive security cultures, a similar figure to last year.

More than one-third of CISOs don’t think their boards see information security as important a function as they do and struggle to get security alignment with many areas of the business such as HR, legal, IT and innovation teams. CISOs also reveal that the maturity of processes for measuring and managing supply chain risk have grown worse. To address such issues, most organisations have adopted a ‘future state’ or ‘target operating model’ (TOM) approach to building a more robust security posture, which typically incorporates security frameworks such as ISO27001 or NIST.

Despite being able to respond to today’s unprecedented challenges, CISOs are more pessimistic about their organisations’ overall ability to meet security requirements – a growing trend over recent years. Nearly one-quarter remain frustrated with their organisations’ approach to security whilst others cite factors such as lack of resources and support, as well as still not seeing eye-to-eye with senior leadership. Despite this, 20% of CISOs rated their overall security posture as ‘managed’ or ‘optimising’ – an increase from 14% in 2019.

Whilst 94% admit to stress in their job and 61% CISOs say their stress levels have increased, one in five CISOs embrace this stress as a positive, with those experiencing negative or unbearable stress falling from 33% in 2019 to 24% in 2020. Notably, most CISOs typically move on within a couple of years in the role, the main reason being for furthering their careers.

While a quarter of CISOs experience negative stress, the picture is less positive for the people who work for them with 42% of CISOs saying stress is affecting their teams. Despite this, only one-third of CISOs say they are struggling with retention yet more than half say they have frequent difficulties with recruitment. Much of the blame for this goes on recruitment processes and lack of understanding from HR about what is required from roles and candidates. Whether dealing with changing geopolitical and external threats, the demands of the business, or the ongoing issue of a stressful role and being understaffed, there are significant challenges that face the CISO in 2020.

On a more positive note, the survey shows that CISOs are confident that their teams are inclusive and diverse – bringing new ideas, opinions and approaches into the security function. Historically, the industry has been known to lack diversity, so it is encouraging to see this change within the team. Likewise, this year has seen a steady increase in the number of younger people entering the profession, with over half of CISOs saying their best recruits are either security graduates or apprentices.

“It is really encouraging to see confidence amongst CISOs to meet their organisational objectives has improved from last year. We are going through challenging times, but CISOs have shown confidence in their inclusive and diverse teams to get the job done. Although there maybe divisions within organisations between departments, there has never been a time where corporate alignment with a diverse security team is needed more. We are seeing a reassuring shift in security investment and awareness, something which is vital for organisations to remain digitally agile. The need for security teams to take their own organisation, customers and suppliers on a security transformation has never been quite so important.”

Despite these improvements amid such challenging conditions, there is still much to be done; most of all, keeping on top of emerging and unforeseen risks. On top of that, while CISOs themselves are starting to come to terms with the impact of stress on their jobs (even if they love the role slightly less year on year), their teams are starting to feel the pressure in a way that could have a lasting negative impact. As today’s resilient CISOs are aware, this is a rising issue that they can lead the charge on. To counter the problem, CISOs recognise that their security teams need to be as diverse as possible whilst hiring policies are evolving to make them more inclusive in future. There are also notable improvements in the number of apprentices and security graduates coming through.