Research by the Ponemon Institute focusing on Chief Information Security Officers (CISO) worldwide has found worrying levels of business readiness for cybersecurity threats.
Drawing on insights from 184 global CISOs, a new F5-comissioned report has highlighted the latest challenges encountered in the increasingly influential role.
“This new research provides a unique view into how CISOs are operating in today’s challenging environment,” said Mike Convertino, CISO, F5 Networks.
“It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. Yet in many organisations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”
Businesses exposed
The Ponemon Institute noted that today’s IT security strategies and tactics are shifting away from a focus on strong perimeters to smart data, networks, devices and applications.
According to 60 percent of CISOs, material data breaches and cybersecurity exploits are driving change in organisations’ attitudes to security programs. 60 percent of respondents currently believe security is considered a business priority.
Yet, while awareness levels are clearly growing, the report’s clear message is that there is plenty of room for improvement.
80 percent of respondents say the Internet of Things (IoT) will cause “significant” or “some change” to their practices and requirements. However, most companies are not hiring or engaging IoT security experts (41 percent) or purchasing and deploying new security technologies to deal with potential new risks (32 percent).
Finding the right talent is also a significant hurdle, with 56 percent struggling to identify and recruit qualified candidates. Almost half of surveyed CISOs branded their staffing as inadequate (42 percent).
Interestingly, 50 percent consider computer learning and artificial intelligence important to address staffing shortages. In two years, 70 percent say these technologies will be important to their IT security functions.
Trouble at the top
60 percent of CISOs claimed to have a direct channel to the CEO in the event of a serious security incident. However, only 19 percent reported all data breaches to the CEO and board of directors. Only 45 percent have emergency funds to deal with a serious security incident that may require additional resources. Security program change remains largely reactive, with material data breaches (45 percent) and cybersecurity exploits (43 percent) garnering the most senior executive attention.
The report also found an alarming disconnect between IT and other business departments. 58 percent of the CISOs’ companies had IT security as a standalone function, meaning most lack an IT security strategy spanning the entire enterprise. Only 22 percent said security is integrated with other business teams and 45 percent had security functions without clearly defined lines of responsibility.
Advanced persistent threats (APTs) were ranked the top threat to the security system followed by DDoS, data exfiltration, insecure apps (including SQL injection), credential takeover, malicious insiders and social engineering.
“Cybersecurity challenges are intensifying worldwide and we need CISOs to step up and be more influential at the top,” added Convertino.
“We also need business-leaders to recognise the growing threat cybersecurity poses in its many shifting forms. The measure of an organisation is how it pre-empts and responds to risk and – more than ever before – CISOs must lead the charge in this respect.”
F5 will appear at Dubai’s Gitex Technology Week 2017.