CISO role grows in stature, but challenges remain
In order to find out how CISOs perceive the state of their profession, Optiv Security interviewed 200 CISOs or senior security personnel with equivalent responsibilities in both the US and the UK.
Survey respondents indicated a fundamental change in how senior executives and board members perceive cybersecurity. Perhaps most surprising was the fact that 58% said experiencing a data breach makes them more attractive to potential employers. This stands in stark contrast to years past when a data breach was often a fireable offense for CISOs.
Other notable results related to this topic include:
- 96% either slightly or strongly agreed that senior executives have a better understanding of cybersecurity than they did five years ago.
- 67% said their businesses prioritize cybersecurity above all other business considerations.
- 76% indicated that cybersecurity risk has become important enough to businesses that CISOs will begin to be named as CEOs.
Ignoring best practices
The survey also found that a significant number of CISOs are not following best practices with cybersecurity.
More than half (54%) of U.S. CISOs and 44% of U.K. CISOs indicated that they practice their incident response plans at a frequency of once a year or less. Industry best practices call for frequent incident response tests and practice, so teams are ready for the real thing when it happens.
When asked, “If you could stop the business for six months and have the luxury of time to execute any security priorities, which areas would you choose to focus on?”, the answer, “Catch up on basic functions like patching and vulnerability scanning,” finished dead last – even though unpatched vulnerabilities are often cited as the most common source of data breaches (57% of all breaches, according to a study by the Ponemon Institute).
Finally, CISOs were in broad agreement (88%) that it would be worthwhile to have a global treaty in place on cybersecurity, like the Geneva Convention, where countries agree to a set of principals governing their conduct on the internet.