By Lior Arbel, Co-Founder at Encore
Chief Information Security Officers (CISOs) are the face of cybersecurity within an organisation, and expectations of this role have reached new heights as a result.
It’s clear that some businesses are still battling with the ‘it will never happen to me’ illusion. Others splash the cash on the latest cyber products with the belief that more security means better security. Both mindsets are outdated at best, dangerous at worst.
Our latest research analyses how the role of CISO has changed, the challenges they face today, and what this means for the overall business.
Reporting to the board
We are seeing that boards are far more willing to talk about cybersecurity than ever before. For 50% of C-suite executives, cybersecurity is top of the agenda, and only 4% of organisations choose not to discuss it at all in the boardroom. However, we’re still not where we need to be.
A natural gap still exists between the board and CISOs, and it’s the latter’s responsibility to translate risk and response in a way that is accessible to all. Failure to do so has devastating impacts, demonstrated by the 60% of security leaders who do not feel fully supported by the board in mitigating against security threats.
The fact that 12% of C-suite executives still only discuss cybersecurity when a breach occurs, means there is still the attitude of ‘deal with it when it becomes a problem.’ No matter how small the number, if this attitude continues, countless organisations remain at risk.
Currently, over half of CISOs feel the board does not provide ample investment for cybersecurity to effectively defend the organisation. When the cost of a breach is so high, businesses cannot afford to be lax in their cyber investment.
But it all comes back to security leaders being able to translate this risk to those who don’t see them every day, and perhaps struggle to recognise the severity. Our research shows that 89% of C-level executives have a formal plan in place for when a breach occurs – which is critical – but strategies must begin much earlier on if businesses are to greatly strengthen their security posture.
Managing and educating staff
Human error is still one of the biggest causes of cyber breaches today, with research from the World Economic Forum revealing that 95% of security threats people face today have in some way been caused by human error.
Considering around 94% of CISOs feel their company provides adequate cybersecurity training, with 80% of employees in agreement, yet over a third of office workers use their personal devices for both work and personal uses, there’s clearly a gap between knowledge and application.
Increasing cyber attacks
According to our survey, 69% of CISOs currently consider data theft to be the primary risk to their business, but the ways in which adversaries conduct their attacks is unlimited.
From a C-level perspective, a major breach means big losses, both financially and reputationally. Over half of CISOs identified the biggest financial impact as being the recovery process after an attack, including any ransoms to be paid, downtime, and recovering lost assets. The price of poor security is increasing, so the stakes for businesses are at an all-time high.
See our eBook on ‘A CISO’s Perspective’ here for more information, including our advice to CISOs as they continue to face the challenges of a volatile industry.