CISOs must shift from tactical defense to strategic leadership
Cyber threats are advancing quickly in size and sophistication, largely because of the rapid evolution of technology, increasing sophistication of cyber attackers, and the expansion of attack surfaces through interconnected systems and devices, according to Ivanti.
Ivanti’s research shows that while cybersecurity budgets are growing (71% report budgets are up in 2024), security strategy and investments may not be keeping pace with the growing severity and pervasiveness of threats.
Fully 95% of IT and security professionals believe security threats will be more dangerous due to AI — yet, despite that elevated risk, nearly one in three security and IT professionals have no documented strategy in place to address generative AI risks. In today’s environment, CISOs play an even more critical role in the organization as many of the decisions they make will affect the business as a whole.
Vulnerability management is misunderstood
Although 60% of non-IT leaders report being “very” or “extremely confident” in their organization’s ability to prevent or stop a damaging security incident in the next 12 months, just 46% of IT professionals shared that level of confidence. This gap suggests leaders outside IT may not truly understand the risks posed by mounting and increasingly aggressive cybersecurity threats.
55% of IT and security professionals state that non-IT leaders do not fully understand vulnerability management – and non-IT leaders largely agree – 47% state they don’t have a high-level understanding of vulnerability management. When leaders don’t understand vulnerability management, they may not realize how changing leadership priorities can impact the security of their organization. In fact, more than 1 in 4 IT professionals say patch management is undermined by changing leadership priorities.
Security teams and leaders outside IT have differing views of the potential impacts of cyber risks — including the extent of the damage they can cause and the areas of the organization that are most likely to bear the impact.
Executives outside IT are more likely to focus on financial, legal and reputational impacts than their IT and security counterparts. For instance, 24% of executive leaders label the reputational impact of cyber risks as ‘high’ compared to only 15% of CISOs.
Cybersecurity is already a topic at the board level
The research shows cybersecurity is already a topic at the board level. 86% say cyber risk management is discussed at the board level, and 84% say CISOs are invited to high-level strategic meetings about business decision making, organizational planning, etc.
To evolve into strategic players, security leaders must learn to speak the same language as their CEOs and boards — translating technical know-how into business priorities, such as the financial and reputational impacts of attacks, as well as the legal and regulatory ramifications of data breaches.
“The role of the CISO is to effectively communicate the true risk that their organization faces and understand how different types of security incidents can impact the organization – now more than ever,” said Mike Riemer, Field CISO at Ivanti.
“The threat landscape is growing increasingly volatile and unpredictable and CISOs are tasked with enabling employees to remain productive and secure. The success of the CISO organization is imperative to ensure the success of the entire organization, which explains why cybersecurity has elevated to being a board level discussion,” added Riemer.