CISO’s Moving Forward, but More to Go

Monday, March 4, 2019 @ 11:03 PM gHale

Respondents of different job titles reported on levels of collaboration between networking and security across the enterprise. Percent of respondents, N=3,248
Source: Cisco 2019 CISO Benchmark Study

Chief Information Security Officers (CISO) have moved forward in building defenses, detecting cyber threats, and containing data breaches, but there is still plenty of room for improvement, according to a new report.

When asked if it was easy to determine the scope of a compromise, 35 percent of respondents said “It is easy to determine the scope of a compromise, contain it and remediate from exploits,” which found visibility into the unknown clearly is a key challenge, according to Cisco’s 2019 Chief Information Security Officer (CISO) Benchmark Study.

RELATED STORIES
Govt., Private Sector Need to Unite on Cyber: Report
Safety, Security, Privacy in Interconnected World
DDoS Attacks, Fewer in Quantity, More Sophisticated
Russia, China can Disrupt Critical Infrastructure

While the 35 percent number is good, the glass is half empty crowd will say 65 percent of CISOs in the survey have room to improve.

Cisco’s double-blind survey, conducted by an independent research partner, covers multiple industries including retail, transport, manufacturing, financial services, as well as government and higher education.

Understanding the risks of cyberattacks, and the compliance landscape that encompasses security breaches, is paramount to understanding how to defend and prepare for the worst. When asked who were very knowledgeable about risk and compliance, 80 percent of respondents were very knowledgeable, which means 20 percent of security professionals could possibly use some training, according to the research.

Almost half, or 47 percent, are determining how to control security spending based on organizational security outcome objectives. Measuring outcomes against investments is the best data-driven approach. What’s more, 98 percent strongly or somewhat agree their executive team has established clear metrics for assessing the effectiveness of their security program. Forty-nine percent of respondents have metrics utilized by multiple areas of their companies to understand the risk-based decisions and improve processes to measure the security effectiveness throughout the organization.

Controlling security spending on previous years’ budgets (46 percent) and percent of revenue respectively (42 percent) were both popular choices, but do not necessarily correlate with better security. The breach landscape changes year-to-year, and your previous year’s budget or percent of revenue may have little to do with what it costs to defend against future threats, according to the research.

The fourth most relied upon approach to determining security spending is cyber insurance: 40 percent are using cyber insurance, at least partly, to set your budgets. Taking this approach begins with a risk assessment to accurately identify security risks and ensure they can be mitigated by insurance or protected by controls. It may be, for some companies that cyber insurance guidelines can play a role in technology selection and/or budget setting.

One of the questions asked was: Thinking of the most impactful breach you experienced in the past year, what was the total cost? Eight percent said $5 million plus, compared to 51 percent saying $500,000 or less.

When asked which security incidents/attack types have you encountered in the past year, two of the top three are issues with email security, In addition, two of the top 10 issues are insider threat issues – file sharing and stolen credentials – shows that you must look at what’s happening inside as much as outside, and be aware that some attackers can log in rather than break in. This drives the need for better multi-factor authentication (MFA).



Leave a Reply

You must be logged in to post a comment.