The 10th annual Information Security Maturity report from ClubCISO surveyed 182 members of the ClubCISO community. The feedback from respondents – in the most senior information and cybersecurity positions at their respective organisations – concludes that strong security is now considered a key corporate capability largely believed to be down to the voice CISOs have developed.
The 10th annual Information Security Maturity Report, published by ClubCISO in collaboration with Telstra Purple, paints an optimistic picture of organisational resilience from security threats as CISOs report another drop in reported material breaches compared to the year before.
Despite a hardening economic climate, heightened global tensions and the onset of new technology making cybercrime easier, 76% of the CISOs taking part in the annual survey suggested that no material breaches had occurred and 60% said that no material cybersecurity incident had occurred in the past 12 months.
This apparent success of security teams is particularly interesting given that CISOs on average rated their organisation’s overall security posture lower than they did over the previous year. Last year, 46% rated themselves as above average (at least 4/5 stars) while this year, only 38% rated themselves the same. Additionally, more than 13% of respondents don’t feel confident that their organisation will be able to meet key security objectives – an exact repeat of last year’s result.
While not directly linked, the disparity between falling material breaches and incidents and overall security postures might partly be explained by the positive cultural gains that CISOs have observed. A large proportion (80%) of respondents said they believed that their organisation’s security culture has improved to some degree in the last year. And when asked about the most important factors affecting these cultural improvements, 60% stated that leadership endorsement was a major influence.
Digging into the cultural improvements in more detail, proactive ‘report it’ no-blame policies (41%), simulated phishing (38%) and tailored training (37%) remain as the other key drivers of security culture. However, they did score lower than the previous year, perhaps showing reduced impact due to them becoming more of a well-established part of security culture.
“Our findings this year acknowledge the crucial role that leadership endorsement plays in security culture,” said Jessica Barker, Advisory Board Member. “Cybersecurity has been rising up on the corporate agenda for a few years now, but this stronger alignment between security teams and senior leadership is a very encouraging progress. Without tone (and resource) from the top, building a healthy security culture will always be more challenging.”
Compared to the year before, 67% of CISOs cited stronger alignment with the executive team (59% in 2022) and 54% with the board (49% in 2022).
In response to a severe threat landscape, most members (72%) responding to the survey now have cybersecurity insurance. However, the issue remains a divisive one, with some 15% not wanting insurance and not believing in the benefits.
Rob Robinson, Head of Telstra Purple EMEA, sponsors of the ClubCISO community, commented: “The results from the members survey reinforce what we’ve been seeing in the market for some time now – security strategies need to be built around people to be truly effective. It seems that the decline in material cyber breaches is linked to the people and cultural improvements – a huge 80% of CISOs suggested that their organisation’s security culture had developed positively over the last year. The fact that leadership endorsement is also being highlighted as a critical factor for establishing an effective security posture also recognises the progress CISOs have made at the very highest levels of business. Strong security is now clearly seen as a key corporate capability and that is in large part due to the voice CISOs have developed at the C-level.”