Welcome to our fifth annual Security Leaders Peer Report!
Now, for some of us, we just want to get to the point, cut out all the fluff and read the stats. This is what this version is for. If you're interested in the numbers, then you've come to the right place!
We've asked 400 security leaders from larger organizations (1000+ employees) across the US and UK about their opinions on the state of the cybersecurity industry. These findings should both help and enlighten you.
To the surprise of nobody, the landscape is one of increasing pressure from multiple sides.
Perhaps the most impactful thing we found is that 61% of security leaders have suffered a breach because of failed or misconfigured controls in the last 12 months.
Which is a lot. That means they suffered a breach even though they had invested in and deployed a tool or control.
But it gets worse. Two thirds (65%) of which cost more than $1million. And 12% over $10m.
67% went on to agree that they needed to trade off on risks because it was impossible to protect everything.
Your fellow cybersecurity leaders are also feeling the pain of “toxic combinations”.
The term “toxic combinations” alludes to pharmacology in the sense that if you put two drugs together, you can kill the patient. In the context of cybersecurity, it means risks that are compounded by the presence of other significant risks related to the same asset. For example, a laptop with a critical vulnerability that doesn’t have endpoint protection. That may also be owned by a person who has recently failed phishing tests or has a range of privileges. As these risks stack up, you can see how they’re compounded in something that needs immediate attention.
A staggering 92% of security leaders agree that toxic combinations are a cause for real concern.
Communication and reporting are fundamental to cybersecurity. Delving into the data, we can see that leaders are striving to share the best information they can.
There is a clear need to communicate the state of security controls (79% said they were doing so) and regulatory and audit compliance (84% currently deliver or are aiming to).
Clearly, cybersecurity leaders are working hard on reporting. So much so that their teams spend 46% of their time on reporting.*
On the surface, everything seems fine. Aside from the large amount of time spent, perhaps. But, when you read data like this, the most interesting stuff is the contradiction.
Then we get to the hidden risk.
Despite the confidence in reporting, 70% say there are too many unknowns to get a clear picture of risk.
That raises the question: how do we communicate hidden risk?
We see cyber professionals battling to meet the demands on them, knowing where the shortcomings are and taking steps to spend more in the right places (assurance and control governance). In fact, 95% have seen an increase in budget for controls governance. And half (49%) say it has increased by 25% or more in less than two years.
They want to know what data to trust, what to report, and ultimately, to make the right decisions.
Rightly or wrongly, cybersecurity is under pressure. And leadership is feeling the brunt.
90% of CISOs are being asked to give more assurances on security controls than ever, communicate with more stakeholders than ever (85% agree) and face greater scrutiny than ever (85% agree).
We’re all for ownership, responsibility, and accountability in cybersecurity. But that isn’t the same as blame. Increased legislative and regulatory scrutiny brings the apparent need to apportion blame. We’ve entered the age of CISO liability, where our leaders seem to be living under a corporate sword of Damocles.
75% of CISOs believe they face greater personal liability. And while 70% feel it’s fair, 72% have personal indemnity in place, with another 20% seeking to get it in the next year. 13% are paying for it themselves.
But the landscape doesn’t set security leaders up for success. They’re in an environment where specialized tools for cyber analytics aren’t readily available (67% agreed).
Half have visibility gaps because data is only available where tools are deployed. And 72% believe they could stop more breaches if they spent less time reporting.
Is it OK to blame someone for failure when you haven’t given them the tools for success?
We as an industry need to take better care of the people leading security from the front.
Security leaders are willing to take the increasing scrutiny, in fact 85% feel they answer to the board more. They relish greater organizational influence, as 85% communicate wider across their business.
But these conditions lead to 47% being more cautious, 41% being more anxious, and 15% have even considered leaving the industry.
We have CISOs fighting the good fight, doing amazing things in headwinds that weren’t there ten years ago. We need to provide support and celebrate the successes we don’t see. There are no front-page headlines for the breach that got stopped.
We can use automation and data science to support them. Address hidden risks, improve decision-making, demonstrate compliance, identify control failures. Continuously.
That’s what Panaseer is aiming to do, both with this report and our CCM solution.
Find out how to improve your security posture management using Continuous Controls Monitoring.
Our team can give you a tailored demo of the Panaseer platform, including the metrics and dashboards that enable you to prioritize resources and accelerate remediation.
