Most CISOs feel unprepared for new compliance regulations
With the new stringent regulations, including the SEC’s cybersecurity disclosure rules in the USA and the Digital Operational Resilience Act (DORA) in the EU, a significant challenge is emerging for many organizations, according to Onyxia Cyber.
CISO role has changed in recent years
The job of a CISO has changed dramatically over the past few years. What used to be a technically minded cybersecurity role has evolved to include a greater emphasis on security strategy and quantifying and mitigating business risk. With compliance regulations, and the cost of a breach growing year on year, executives realize the importance of saving a cybersecurity seat at the table.
67% of CISOs report feeling unprepared for these new compliance regulations, while 52% admit to needing more knowledge on reporting cyber attacks to the government.
“As cyber threats escalate and regulations impose heavy penalties for non-compliance, it’s imperative for CISOs to reassess and strengthen their security programs in a data-driven way. Our survey reveals critical industry benchmarks, highlighting areas of strength and significant gaps that need urgent attention,” said Sivan Tehila, CEO of Onyxia. “CISOs must enhance their preparedness, improve security hygiene, and embrace new technologies like AI to better maximize their existing security tools and protect their organizations.”
56% of the surveyed CISOs admit discomfort with their current incident response strategies, indicating a significant need for improvement in handling cyber incidents effectively. As regulations evolve, many organizations feel that they don’t have adequate guidance, or that certain terms are difficult to understand. What exactly constitutes a “material” incident, for example?
67% report having difficulties in effectively persuading the C-suite of their security strategies and securing buy-in for their initiatives. Interestingly, only 19% of those who have been a CISO for 5+ years find it very easy to share their strategy with the executive board, while 40% of less experienced CISOs say the same.
CISOs see potential in AI
Basic security measures, such as MFA and strong passwords, are not universally implemented. CISOs consider an average of 11% of user accounts with weak passwords and 13% without MFA as acceptable, highlighting areas for improvement.
84% of CISOs currently measure the effectiveness and performance of their security programs with either spreadsheets, analysts, or a combination of the two approaches. Despite a reliance on manual methods, CISOs see potential in AI.
97% believe AI can enhance risk management, with 54% believing AI capabilities could help them in identifying gaps and redundancies in security stack coverage and 42% anticipating AI’s role in automating business-level risk reporting.
“Our industry is going through an evolution phase,” said Chris Roberts, Onyxia Cyber CISO Advisor. “This time the maturation of our industry is at a point where business drivers, leadership conversations, legal, compliance, regulatory, and accountability conversations dominate over most other concerns. This report paints an honest picture of where we’re at, what we’ve done, and what we have left to do.”