Security leaders more worried about data quality than budget shortfall or being blamed for breaches.
Panaseer’s 2024 Security Leaders Peer Report has found the biggest concern when taking on a new CISO role is receiving an inaccurate audit of the company’s security posture (54%). This is a tacit acknowledgment that inaccurate security data can hide points of weakness and result in security resources not being utilised efficiently.
The survey of senior cybersecurity decision makers in 1,000 plus employee organisations in the UK and US found the issue of data quality was of greater concern to respondents than the lack of security budget (44%) and being scapegoated for a breach (44%).
The same desire to gain complete visibility into security controls data was also highlighted in the top challenges cited by respondents when starting a new CISO role:
- Getting a true picture of weaknesses in organisational security posture (49%)
- Understanding the threat landscape (45%)
- Getting trusted data to enable strategic decisions (43%)
Understanding where security controls are failing is a critical first step to mitigating cyber-risk and making the right decisions. Unfortunately, only 36% of security leaders are totally confident in their security data and use it for all strategic decision-making. This is a concerning finding, as without trusted data CISOs might struggle to influence senior business stakeholders and ensure the right people are held accountable for fixing security issues.
“One of the most important things in the world is credibility. If you lose credibility, it’s the hardest thing to earn back from people,” said Shawn Bowen, SVP and CISO of World Fuel Services. “So when your data lacks credibility, that’s the same problem. You need to know where your data is inaccurate and be up front about it, otherwise if someone else finds the inaccuracies they aren’t going to trust you again.”
The report found a concerning gulf between respondents’ perception of their security controls and reality. Nearly all (95%) said they are highly or somewhat confident that security controls are working effectively all the time, and 88% declared that they trust their security data is accurate.
As a result, over half (54%) of security leaders said they are very confident in their ability to use security data to prioritise actions to have the greatest impact on risk reduction. Nearly all (96%) are confident to some extent.
However, 79% of responding organisations admitted they have been surprised by a security incident that evaded their controls – indicating that data on the status of controls is either inaccurate, or not being properly interpreted to improve security posture.
There is also evidence to suggest that controls data is not widely viewed as a strategic asset for cyber protection and risk mitigation.
Over one-third of respondents (38%) said they are unable to evidence remediation of control failures. A similar number (37%) classify control failures as a low priority-rising to 43% in financial services companies.
Click below to share this article
