CISOs struggling to understand value of security controls data

Many CISOs are grappling with the conundrum of the purpose and value of security controls data in supporting critical business decisions, according to Panaseer.

The biggest concern when taking on a new CISO role is receiving an inaccurate audit of the company’s security posture (54%). This is a tacit acknowledgment that inaccurate security data can hide points of weakness and result in security resources not being utilized efficiently.

The issue of data quality was of greater concern to respondents than the lack of security budget (44%) and being scapegoated for a breach (44%).

The same desire to gain complete visibility into security controls data was also highlighted in the top challenges cited by respondents when starting a new CISO role:

• Getting a true picture of weaknesses in organizational security posture (49%)
• Understanding the threat landscape (45%)
• Getting trusted data to enable strategic decisions (43%)

Understanding where security controls are failing is a critical first step to mitigating cyber risk and making the right decisions. Unfortunately, only 36% of security leaders are totally confident in their security data and use it for all strategic decision making. This is a concerning finding, as without trusted data CISOs might struggle to influence senior business stakeholders and ensure the right people are held accountable for fixing security issues.

“One of the most important things in the world is credibility. If you lose credibility, it’s the hardest thing to earn back from people,” argues Shawn Bowen, SVP and CISO of World Fuel Services. “So when your data lacks credibility, that’s the same problem. You need to know where your data is inaccurate and be up front about it, otherwise if someone else finds the inaccuracies they aren’t going to trust you again.”

Perception vs. reality of security controls

The report found a concerning gulf between respondents’ perception of their security controls and reality. 95% said they are highly or somewhat confident that security controls are working effectively all the time, and 88% declared that they trust their security data is accurate.

As a result, 54% of security leaders said they are very confident in their ability to use security data to prioritize actions to have the greatest impact on risk reduction. 96% are confident to some extent.

However, 79% of responding organizations admitted they have been surprised by a security incident that evaded their controls—indicating that data on the status of controls is either inaccurate, or not being properly interpreted to improve security posture.

There is also evidence to suggest that controls data is not widely viewed as a strategic asset for cyber protection and risk mitigation.

38% of respondents said they are unable to evidence remediation of control failures. 37% classify control failures as a low priority—rising to 43% in financial services companies.

Building data trust

90% of security leaders said that improving the accuracy of cybersecurity data is a priority for them in the next 12 months. Additionally, when asked to consider the impact of AI, 76% are concerned about threat actors using AI to find gaps in their organizations’ security controls.

Given that they spend on average 46% of their time on manually collecting, formatting and presenting this data, finding a more automated way to do it should also be treated with some urgency.

Continuous Controls Monitoring (CCM) can help to deliver the trust in this data that CISOs and other stakeholders need. The benefits of improving data quality and trust are clear, with 84% of security leaders believing that increasing trust in their data would help them secure more resources to protect their organization.

But first there needs to be a mindset change in security leaders and the board—away from using controls data for reporting, and instead embracing it to proactively drive business decisions and stop problems before they occur.

“The industry needs to change if we are to solve the CISO security controls conundrum, and Continuous Controls Monitoring (CCM) can be the catalyst. It isn’t a better reporting tool, it’s a way of knowing what to do next – making day-to-day cybersecurity firefighting easier and getting ahead of the game on strategic risk,” argues Panaseer Security Evangelist, Marie Wilcox.

“At the moment, many leaders don’t know that security controls data can help them do this. It’s understanding the value of a big picture view, and single source of truth rather than multiple siloed perspectives.”

In this way, access to trusted controls data could not only help CISOs address the challenges and concerns listed above, but also tackle their three top priorities in a new role, as cited by respondents:

• Understanding security posture (39%)
• Understand processes for data collection and analysis (38%)
• Audit of security tooling (37%)