Skip to main content

The current state of the CISO

(Image credit: Image Credit: Balefire / Shutterstock)

There’s no doubt, going digital is a big deal for companies. While it can offer a multitude of advantages and benefits in terms of efficiency and market reach, it also exposes the firm to serious risks. These can come from inside the organisation in the form of rogue or clueless employees, careless contractors, or externally from malicious actors or coordinated state-sponsored attacks. Cybercrime has exploded in recent years, and the buying and selling of Distributed Denial of Service (DDoS) attacks and other services on the Dark Web have generated billions of dollars for cybercriminals globally.

The underground economy even attracts actors that would usually shy away from more traditional forms of crime. For example, “booter” services for ‘DDoSing’ others have become widespread thanks to easy access to hacking tools, the cloak of anonymity provided by the Dark Web, and the difficulty of tracking and prosecuting cybercriminals.

To shed light on how the corporate world is reacting to this new, threat-filled digital environment, Cisco recently surveyed 3,200 security leaders in 18 countries for its 2019 CISO Benchmark Report. It revealed the cyber-threat landscape is a top-of-mind concern and that 65 per cent of respondents struggle to determine the scope of cyber-attacks, contain them and repair their damage they cause.

Know your cyber-risk posture

The report found that less than a quarter (24.1 per cent) of the security alerts that were investigated this year were actually legitimate, down from 34 per cent in 2018. This indicates that the tools used to determine which alerts should be looked into are failing at what they’re supposed to do. Worse, there is a big drop from in the number of legitimate alerts that were remediated – from 50.5 per cent in 2018 to 42.8 per cent this year.

This remediation shortfall is significant, since many CISOs are considering remediation as a key indicator of security effectiveness. The number of respondents who use mean time to detection as a measure of effectiveness dropped from 61 per cent in 2018 to 51 per cent in 2019 on average. Time to patch also dropped in focus, from 57 per cent (2018) to 40 per cent (2019). The clear message is, acting to counter threats is taking longer than it used to.

How to spend your budget

Almost half (47 per cent) of CISOs are figuring out how to control the security spend based on the security objectives of their organisations. The best data-driven approach is to measure outcomes against investments. Further, 98 per cent of CISOs “strongly” or “somewhat” agree that their executive team has set up clear metrics for assessing the effectiveness of their security program. This is an unexpected finding of the Cisco report, as most other studies highlight the absence of effective security metrics.

At the same time, the report notes that just under half of the respondents say that various departments in their companies are using metrics to make risk-based decisions, improve processes, and to gauge security effectiveness across the organisation.

Collaboration pays off

Almost all (95 per cent) of CISOs feel they have cultivated “very” or “extremely” collaborative relationships between their networking and security teams. The ones that didn’t operate in silos yielded tangible financial benefits. In that group, 59 per cent said the financial impact of their most impactful breach was less than $100,000 – the lowest category of breach cost.

This finding suggests further analysis is warranted and that creating more DevSecOps teams may be a sound idea. The collaboration among these teams shouldn’t be happenstance, but planned, especially in the age of agile development.

The diverse costs of a breach

The potential blowback from a security breach can include financial losses, brand and reputational setback or ruin, loss of stockholder confidence, theft of proprietary or customer data, and regulatory and non-compliance penalties.

However, in terms of what really keeps CISOs awake at night, there is a clear shift towards issues of perception and sentiment. An examination of Cisco’s year-on-year data shows that the desire to keep operations running obviously remains strong, but that customer retention (26 per cent in 2018 vs. 33 per cent in 2019) and brand reputation (27 per cent in 2018 vs. 33 per cent in 2019) both grew notably as key concerns.

The financial ramifications even more vary wildly. While 31 per cent of organisations suffered costs of less than $100,000 following their most serious security breach, another 20 per cent suffered between $100,000 and $500,000 in damages. 16 per cent took a financial hit somewhere between $500,000 and $1,000,000. A quarter of CISOs reported costs between $1 million and $5 million. Only 8 per cent reported damages of more than $5 million.

Questionable incident response

While 61 per cent of organisations run a drill or practice exercise every six months to test their planned responses to cybersecurity incidents, only 74 per cent of them were up to speed on business continuity and disaster recovery. Moreover, only 75 per cent of the survey respondents were very knowledgeable about incident response. This is not as it should be. In fact, everybody in an organisation – not just security – should know what to do in the event of an IT breach.

The key to discovering unknown threats and doing something about the right type of threat is rooted in an effective security posture.  The fact is, longer detection times and fragmentary incident response plans make organisations more vulnerable. To reduce risk and minimise the damage from threats, organisations need to focus on reducing their time-to-detection and introduce time-to-mitigate as a new KPI. Discovering and identifying a threat is one thing, but what truly matters is nullifying the threat. Everything else is just a substitute for action.

The only way to determine an organisation’s security needs is to ensure that collaboration happens across departments. IT, Networking, Security, and Compliance groups cannot remain siloes – they need to work together. They can also use Artificial Intelligence (AI), Machine Learning (ML) and more automation to beef up their security efforts by accelerating both time-to-detection and time-to-mitigate, and preclude human error. Organisations can employ one of many proven processes to reduce their exposure to (and the extent of) security breaches. Regular fire drills, ideally involving all employees, are essential to ensure swift recovery.

Marc Wilczek, COO, Link11 (opens in new tab)