Chief information security officers are modifying and expanding their security strategies to address emerging threats, finds the recently released Cisco 2019 CISO Benchmark Study.
Wendy Nather, director of advisory CISOs at Duo Security, a Cisco unit, says that CISOs and their enterprises are modifying their strategies to counter new and evolving security threats.
Nearly half of the survey's respondents (47%) report that they are now using outcome-based objectives to focus their security spending. "They’re not just collecting tools, but are making sure that the results are tangible," Nather says. "In terms of strategy, the vast majority of organizations (94%) are practicing incident response at least once a year; 61% are doing it at least every six months," she notes. "These exercise drills are helping enterprises develop the skills they need to face evolving security threats."
Facing the major challenges
Collaboration tends to be the most effective security strategy, the report states. "The most collaborative teams lose the least money," Nather explains. In fact, collaboration and the elimination of silos shows a tangible financial upside: 95% of security professionals report that their networking and security teams are very or extremely collaborative.
The high financial impact of security breaches continues to concern CISOs. Fifty-nine percent of respondents reply that the financial impact from their most serious breach was less than $100,000 -- the lowest category of breach cost listed in the survey. Forty-five percent of respondents report a breach with a financial impact exceeding $500,000. On the bright side, more than 50% of respondents state they are driving breach costs below $500,000. Unnervingly, 8% of CISOs claim their most significant breach of the past year cost more than $5 million. On the other hand, 93% of CISOs state that they are feeling more confident about cloud-delivered security and in securing the cloud.
CISOs' changing role
CISOs are now more involved than ever in "managing risk by contract," orchestrating and negotiating security with third-party providers and suppliers. "More CISOs appear to be comfortable with using cloud-based security services—93% of respondents agree that it makes their operations more effective and more efficient—and we expect this trend to continue," Nather says.
Employees and other system users continue to present the greatest protection challenges for many CISOs. Only 51% [of CISOs] rate themselves as doing an excellent job of managing human resources on security via comprehensive employee onboarding and appropriate processes for handling employee transfers and departures, according to the report.
[Editor’s note: CISOs and CIOs objectives sometimes put them at odds. We review why this is happening and how this may impact where security leadership should fit in IT org charts.]
Email security, phishing and risky user behavior remain top security concerns for CISOs, the study found. "In addition to addressing these risks with multi-factor authentication, advanced spam filtering and DMARC to defend against business email compromise, it’s essential to have an organizational process that starts with security awareness training on day one," Nather says. The perception of this risk has held steady for the past three years for 56% to 57% of respondents. Coupled with low levels of security-related employee awareness programs, this represents a possible major gap that the security industry can help address, the report states.
The methods CISOs and their staffs are using to measure their security efforts are changing rapidly, the study finds. The number of respondents who rely on ‘mean time to detection’ as a metric for security effectiveness decreased from 61% in 2018 to 51% in 2019. Meanwhile, ‘reported time to patch’ dropped from 57% in 2018 to 40% in 2019. As other measurement techniques lose favor, ‘time to remediate’ is gaining popularity as a success metric. The method was cited by 48% of respondents compared to 30% in 2018.
More teams involved
Driven in part by cyber insurance procurement, risk assessment and risk metrics that span multiple business units are playing an increasing role in technology selection, the study finds. These tools help CISOs focus on their operational practices. Forty percent of respondents indicate they are using cyber insurance, at least partly, to set their budgets.
Complex security environments incorporating tools from 10 or more security vendors could be hampering security professionals’ visibility across their environments, the report warns. Sixty-five percent of respondents do not find it easy to determine the scope of a compromise, contain it, and remediate from exploits.
Overall, the number of respondents experiencing cyber fatigue -- the urge to give up trying to stay ahead of security threats -- decreased from 46% last year to 30% this year. "We consider this very good news, as CISOs feel more confident in being able to defend their organizations," Nather concludes.
Cisco's Recommendations for CISOs
• Base security budgeting on measured security outcomes with practical strategies coupled with cyber insurance and risk assessments to guide your procurement, strategy, and management decisions.
• Reduce exposure and extent of breaches by doing the following: Preparing with drills; employing rigorous investigative methods; and knowing the most expedient methods of recovery.
• The only way to understand the underlying security needs of a business case is to collaborate across siloes -- IT, networking, security, and risk/compliance groups.
• Orchestrate response to incidents across disparate tools to move from detection to response faster and with less manual coordination.
• Combine threat detection with access protection to address insider threat and align with a program like Zero Trust.
• Address the No. 1 threat vector with phishing training, multi-factor authentication, advanced spam filtering and DMARC to defend against business email compromise.
John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic ... View Full Bio