The evolving nature of the CISO role
As IT security increasingly becomes a priority, CISOs’ influence within companies is growing. However, security strategy in many organizations is still largely reactive and not yet aligned with business functions.
Conducted by the Ponemon Institute, the findings are based on interviews with senior-level IT security professionals at 184 companies in seven countries: The United States, the United Kingdom, Germany, Brazil, Mexico, India, and China.
“It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. But in many organizations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks,” said Mike Convertino, CISO at F5 Networks.
Responsibility growing for CISOs
Although CISOs have varying degrees of influence among upper management in their organizations, most CISOs are influential in managing their companies’ cybersecurity risks, and their impact is growing.
Sixty-eight percent of respondents say CISOs have the final say in all IT security spending, while a slightly smaller number (64%) say they have direct influence and authority over all security expenditures in their organizations. Eighty-seven percent of respondents say the IT security budget has increased significantly (18%), increased some (29%), or has not changed (40%).
Alignment lacking with business
An IT security strategy that spans the entire company is still very rare. Fifty-eight percent of respondents indicate IT security is a standalone function and only 22% say security is integrated with other business teams, while 45% say their security function does not have clearly defined lines of responsibility.
Seventy-five percent of respondents say that due to the lack of integration with business functions, turf and silo issues have either a significant influence (36%) or some influence (39%) on IT security tactics and strategies.
Recognition of security as a business priority is reactive
Sixty percent of respondents believe their organizations consider security to be a business priority, yet only 51% say their organization has an IT security strategy, and of those only 43% say that strategy is reviewed, approved, and supported by other C-level executives.
The findings indicate that change in security programs is largely reactive, with material data breaches (45%) and cybersecurity exploits (43%) the top two events that get attention from other senior executives.
Crises driving influence with executive leadership
Sixty-five percent of respondents say CISOs communicate directly with senior executives, but rarely is it strategic discussion of all threats to the organization.
Respondents also acknowledged limited executive communication around security events, with 46% stating that only material data breaches and cyber attacks are reported to the CEO and board of directors, while just 19% report all data breaches to this group.
AI is a potential solution to staffing needs
A talent shortage in IT security continues to loom large for CISOs. The average headcount of IT security personnel will increase from 19 to 32 full-time (or equivalent) employees over the next two years, with nearly half (42%) feeling their current staffing is not adequate.
Fifty-eight percent say they have difficulty hiring qualified security personnel, with the biggest challenges identifying and recruiting qualified candidates (56%) and an inability to offer a market-level salary (48%).
These challenges are pushing companies to look elsewhere for solutions – half of respondents (50%) believe computer learning and artificial intelligence can address staffing shortages, and 70% believe these technologies will be important to their IT security functions in two years.