It’s been a little more than a year since we launched our inaugural research titled CISOs in the spotlight, in which we asked business leaders, employees and consumers globally about their attitudes to cybersecurity. And our follow up paper, aptly titled “Look again” demonstrates that the findings are even more pertinent today. CISO is the acronym for chief information security officer.
While 76% of business leaders rate their organisation as good or excellent at protecting against cyber threats, the reality is that organisations and employees still neglect the basics, and breaches continue to occur frequently. Eighty four percent of executives say their organisation has suffered from data theft/loss or a network security incident in the last two years.
Our global research highlights the need to balance technological solutions with an understanding of human nature, and the expanding role of the CISO in achieving this balance. The five key insights are:
- There’s belief that enterprises are secure but that’s not the full story
- Consumer behaviour doesn’t help cybersecurity
- Good news: there’s little resistance to greater security measures
- Technology can never replace the human firewall
- It’s time for CISOs to move into the spotlight.
CISOs should be thinking about prioritising basic cybersecurity measures. Both employees and executives are neglecting the basics – for example, 45% of people have had a security incident at work and not reported it, and nearly 20% of business leaders have lost a smartphone they use for work and not told anyone. Meanwhile, fewer than one third of business leaders rate key components of their company’s IT security as excellent.
After two years of upheaval, many enterprises will be reviewing their business objectives. CISOs need to use this opportunity to reassess their security strategy and policies to ensure they align with new boardroom priorities. The threat landscape is ever changing and architecture that was secure before the pandemic may now have vulnerabilities. As part of their direct response, CISOs should know their inventory and ensure routine software patching is never missed.
But the fact is, if you only focus on the digital, then you’ll miss the most critical element: human behaviour. The easiest way to infiltrate any organisation is through someone who works there. It’s rarely malicious. People get distracted, make mistakes. It’s human nature. CISOs must accept that internal threat will always be with us. Therefore, they should take a ‘zero trust’ approach, establish controls that prevent carelessness and build regular cybersecurity training into the year to reinforce good behaviours.
The upside is that this is a real opportunity to make security a differentiator. Consumers value companies they perceive as more secure. A business with clearly visible cybersecurity will reassure consumers and create confidence in its digital products and services, carving itself a competitive advantage.
Additionally, although consumers worry about losing data or being hacked, one third still neglect basic hygiene such as updating software, clearing cookies and routinely resetting passwords. But the answer is not more bureaucracy. A fair number of executives think it’s unreasonable to expect customers to read long privacy and data contracts, and they’re right; a social experiment in the US found that only one percent of technology users read the ‘terms and conditions’ of a contract.
Executives and consumers are in broad agreement on future solutions for data and network security and the research suggests that more advanced protection from technologies such as AI and biometrics will be welcome. In addition to technology-led initiatives such as threat monitoring and securing cloud services, there is demand for more training and for businesses to adopt industry best practices and standards.
There can be no doubt that CISOs remain under the spotlight. Their expertise and leadership are central to the success of the digital business. Business leaders say that their organisations have been at more risk over the last year from a wide range of threats. But CISOs no longer just have to protect against threat and manage risk. Now they have a major contribution to make to brand perception, employee engagement and the strategic adoption of new technologies.
This research underlines how wide the remit of today’s CISO has to be. Cybersecurity is the cornerstone of all business, placing the CISO at the heart of the boardroom to take a leading role in strategic decision making.