CISOs face an uphill battle when rolling out comprehensive security
The role of the chief information security officer (CISO) is crucial to the rollout of organisation-wide IT security strategies, but they still have an uphill battle, according to research released last week by F5 Networks.
A study conducted by the Ponemon Institute surveyed senior security decision makers in 184 companies across China, India, the United Kingdom, Germany, Mexico, Brazil and the United States.
Despite results showing that 68% of respondents believe CISOs have the final word in IT security spending, the report also found that only 51% of companies have an organisation-wide IT security strategies.
"CISOs are in a tough spot. Organizations are squeezed by cyber criminals, new compliance requirements, and bleeding-edge technologies that erode privacy and stability. The team that leads defense efforts is becoming a more and more vital player in the long-term survival of any organization that sells, uses, or produces information technology—that is to say, everyone," comments F5's CISO Mike Convertino.
47% said their spending budgets had increased, but 40% said they had not changed at all. Budgets are also not being focused in the right areas. 45% said their security function doesn't have clear lines of responsibility and 58% said it is a standalone function.
Security teams are struggling to attract attention from C-level executives: 43% said C-levels review, approve and support those businesses that do have an IT strategy.
Organisations are still running on reactive principles of security as a business priority. Senior executives do pay attention to data breaches (45%) and cybersecurity exploits (43%).
46% said that conversations with senior executives only happen when major incidents have occurred. 19% do not bother reporting breaches to the CEO and board of directors.
"This research provides a unique view into how CISOs are operating in today's challenging environment," Convertino says.
Respondents also see the potential for AI to fill cybersecurity skills shortage gaps. The average IT security headcount will rise from 19 to 32 full-time employees over the next two years.
However 58% have trouble finding qualified people and 48% are not able to offer a market-level salary.
50% of respondents agreed that computer learning and artificial intelligence will be able to serve staff shortages. 70% believe these technologies will be important to other IT security functions in the next two years.
"It's clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. Yet in many organisations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks," Convertino concludes.