While there is no doubt that IT security is increasingly becomes a priority and CISO’s influence within its organization is also growing, security strategy in many organizations is still largely reactive and not yet aligned with business functions. This is according to a report by F5 Networks on the nature of the CISO role and the IT security approaches organizations around the world are taking in today’s constantly evolving threat landscape.
Conducted by the Ponemon Institute, the findings are based on interviews with senior-level IT security professionals at 184 companies in seven countries: The United States, the United Kingdom, Germany, Brazil, Mexico, India and China.
“This research provides a unique view into how CISOs are operating in today’s challenging environment,” said Mike Convertino, Chief Information Security Officer at F5. “It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. Yet in many organizations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”
Responsibility growing for CISOs – Although CISOs have varying degrees of influence among upper management in their organizations, most CISOs are influential in managing their companies’ cybersecurity risks, and their impact is growing. Sixty-eight percent of respondents say CISOs have the final say in all IT security spending, while a slightly smaller number (64 percent) say they have direct influence and authority over all security expenditures in their organizations. Eighty-seven percent of respondents say the IT security budget has increased significantly (18%), increased some (29%), or has not changed (40%).
Alignment lacking with business – An IT security strategy that spans the entire company is still very rare. Fifty-eight percent of respondents indicate IT security is a standalone function and only 22% say security is integrated with other business teams, while 45 percent say their security function does not have clearly defined lines of responsibility. Seventy-five percent of respondents say that due to the lack of integration with business functions, turf and silo issues have either a significant influence (36%) or some influence (39%) on IT security tactics and strategies.
Recognition of security as a business priority is reactive – Sixty percent of respondents believe their organizations consider security to be a business priority, yet only 51% say their organization has an IT security strategy, and of those only 43% say that strategy is reviewed, approved and supported by other C-level executives. The findings indicate that change in security programs is largely reactive, with material data breaches (45%) and cyber security exploits (43%) the top two events that get attention from other senior executives.
Crises driving influence with executive leadership – Sixty-five percent of respondents say CISOs communicate directly with senior executives, but rarely is it strategic discussion of all threats to the organization. Forty-six percent admitted communication with the CEO and board of directors solely happens in the event of material data breaches and material cyber-attacks while only 19% report all data breaches to the CEO and board of directors.
AI is a potential solution to staffing needs – A talent shortage in IT security continues to loom large for CISOs. The average headcount of IT security personnel will increase from 19 to 32 full-time (or equivalent) employees over the next two years, with nearly half (42%) feeling their current staffing is not adequate. Fifty-eight percent say they have difficulty hiring qualified security personnel, with the biggest challenges identifying and recruiting qualified candidates (56%) and an inability to offer a market-level salary (48%). These challenges are pushing companies to look elsewhere for solutions – half of respondents (50%) believe computer learning and artificial intelligence can address staffing shortages, and 70% believe these technologies will be important to their IT security functions in two years.