Chief information security officers (CISOs) hold some very big purse strings — they’re predicted by Gartner to spend $124 billion worldwide this year on information security and services. What do they get for all that money?
A new report gives a partial answer. Published by Denver-based security solutions integrator Optiv Security, “The State of the CISO” report is based on the company’s recent survey of 200 CISOs or functional equivalents. All respondents worked in either the United States or the UK for organizations with at least 500 employees.
Not surprisingly, the CISOs say cybersecurity has become a top strategic issue. Among the U.S. respondents, 70% say their business leaders have instructed them to prioritize cybersecurity, even if it slows productivity for some users.
Along the same lines, virtually all (96%) respondents say their business execs have a better understanding of cybersec than they did 5 years ago.
The CISOs seem a pretty contented group. More than two-thirds (70%) say that after their organization’s most recent data breach, the recovery was well coordinated and successful.
What’s more, experiencing a breach is no longer seen as a career-ender. In fact, more than half (58%) of the CISO respondents said experiencing a data breach actually makes them more attractive to potential employers.
They could be moving up, too. Just over three-quarters (76%) of the respondents believe that managing cybersec has become so important, some high-profile CISOs will soon be promoted to CEOs.
When asked to rank their cybersecurity activities by importance, more than half (57%) of the U.S. CISOs gave top billing to realigning development and security processes into the DevSecOps model.
Other activities ranked important included: educating employees to create a stronger security culture (cited by 54% of U.S. CISOs); and simplifying the IT infrastructure by limiting the number and types of security tools (52%).
Among UK respondents, the ranking differed. For them, the most important activity was employee education (cited by 58%). It was followed by simplifying the infrastructure (54%) and adopting DevSecOps (47%).
What are the greatest security threats? According to U.S. respondents, employees/insiders (cited by 33%); third parties (26%); criminal organizations (20%); hacktivists (20%); and nation states (1%).
In the UK, the order differed. These respondents said their top threat comes from criminal organizations (31%). It was followed by hacktivists (28%), employees/insiders (26%), and third parties (15%).
One final question suggests that many CISOs could be more vigilant: How often do you rehearse your incident response?
Only 16% of US respondents said they do so more than twice a year. And fully a third (36%), the largest sector, said they rehearse less often than once a year. So much for "practice makes perfect."