ClubCISO, a global private members forum with an active community of over 500 Information Security leaders, powered by Telstra Purple, today unveils the findings from its eighth annual Information Security Maturity Report. The report, which provides the current view of security issues facing businesses across the globe, indicates that years of innovation and hard work from CISOs has upheld security defences throughout COVID-19.
Existing security capabilities have remained strong over the pandemic, with less of an impact than was anticipated before the crisis struck. However, new ways of working and a fragmented workforce has created unprecedented pressure on CISOs and their security teams. This year’s report once again shows stress and understaffed teams remain a key issue for CISOs and their employees, highlighting the need to address the growing skills gap the industry is facing.
Despite this, CISOs and security teams have reported positively on their organisations’ performance over the last year, citing improvements in overall security culture and resilience; 69% say their organisations’ security postures were improved or unchanged by COVID-19.
COVID-19 has placed cybersecurity under a spotlight, as new ways of working and threats have emerged. Despite this, 88% of CISOs surveyed believe their security capabilities have held up over the last twelve months – a much stronger result than when asked in the early days of the pandemic (77%). This shows the years of innovation and hard work to ensure rigorous capabilities has paid off for CISOs and their organisations.
COVID-19 has also provided CISOs with a unique opportunity to further support the need for change within their organisations and reinforce security as a key business function. In fact, we have seen a change at board level in attitudes towards security. In 2021, 55% of CISOs say their boards take a balanced view, prioritising prevention and response in equal measure when it comes to their defences – a significant jump form 38% in 2020. In addition to this, 86% of CISOs believe their organisation now views security as being as important as they do; a considerable increase from 65% pre-pandemic.
However, we have seen criminals exploit the COVID-19 situation over the last twelve months. Remote working and the very nature of a fragmented work force has led to an increase in entry points and vectors of attack that criminals can take advantage of. The most common vector of attack reported was social engineering, including phishing, voice calls and whaling, (32%), followed by compromised credentials (25%).
Stephen Khan, Chair of ClubCISO said:
“This year, our ClubCISO Information Security Maturity Report highlights some significant improvements to global business security functions and improvements to organisations’ security culture. Though the pandemic has increased the risk of security breaches, with more sophisticated and numerous attacks taking place, security teams have adapted well and have used the unprecedented situation brought about by the pandemic to highlight the importance of security and increase their organisations’ understanding of it.”
Strong Security Culture
COVID-19 has reinforced the need for strong cyber security, and we have seen tangible, valuable improvements that show CISOs are making their organisations safer and better. We have also seen an increase in CISOs driving measurable improvements in security training (58%) and, overall, much more comfort from CISOs on how their organisations view information security.
Encouragingly, 68% of CISOs agree their organisations now have a positive security culture, compared to only 45% in 2020. In addition, 61% of CISOs believe their organisations are making progress or feeling they exemplify best practice in security culture – a considerable increase from only 39% in 2020.
While positives can be drawn, CISOs still acknowledge issues in organisational culture and team subcultures as a major roadblock in driving the security agenda. Of those surveyed, 43% cite the culture of their organisation as a concern that affects their ability to deliver against objectives. CISOs must now continue to drive initiatives from the top; it is only this way that a strong, inclusive and knowledgeable environment can be fostered.
The wellbeing of CISOs and security teams
Despite clear improvements in security culture and resilience, the pandemic has placed employees across the board under unprecedented levels of stress, and CISOs and security teams are no different; 64% of CISOs surveyed have experienced an increase in stress over the last 12 months. The report outlines a similar situation for their team; 6% of CISOs still report their team is experiencing ‘unbearable stress’ and 36% believe the stress their teams are under negatively affects performance.
Team skills and resource shortages continue to be detrimental to the mental health of CISOs and their teams; 45% cite security team skills and resourcing greatly contribute to their stress levels, whilst 53% see insufficient staff as a key issue when delivering against objectives.
Stress continues to be a problem for the security community, and it is imperative that CISOs and organisations work together to address this. On a more positive note, the majority of CISOs surveyed ‘love’ their job, with 78% either agreeing or strongly agreeing.
Manoj Bhatt, ClubCISO Advisory Board Member and Head of Cyber Security Advisory at Telstra Purple said:
“Given today’s unrelenting threat landscape, CISOs have arguably the toughest jobs on the organisational chart. The CISO must be available to many different departments and remain ahead of the curve in an ever changing threat landscape, across all areas of cyber security. This causes added stress which will filter down to members of the team.
“However, it’s encouraging to see that security is being taken even more seriously than before. Accelerated digital transformation during the pandemic has allowed projects to move at a faster rate, such as security awareness programmes, enabling remote access, and security monitoring. Confidence in the ability to meet security objectives has improved against last year too. Board members are realising the importance of balancing prevention and response capability, although it remains to be seen whether this has become an enduring sentiment in the boardroom. CISOs and board members must now continue to work and maintain those relationships beyond just crises and emergencies.”
Further building on robust foundations
This year’s report has clearly demonstrated how CISOs from across the globe have come together as a community to address key issues in the face of unprecedented adversity. Years of innovation and hard work have paid off, as security defences have stayed resilient during what has been a critical and challenging year for cyber security.
However, there is still more to be done. CISOs must continue to push forward in hiring from a diverse pool of talent and attract an inclusive team that can alleviate current pressures. In tandem, resilience will only remain if we nurture our own workforce. CISOs and their organisations must actively work to ensure the mental wellbeing of their team is a central focus.
The pandemic has bought us to a pivotal moment for the industry, and CISOs must ensure they keep security at the heart of their organisations, to build on the good work that has been actioned over the last 12 months.