As regulatory bodies jockey for advantage over who dominates enforcement of cybersecurity rules and regulations, the relationship between chief information security officers and their boards of directors becomes more and more important. This is one of the findings of the 2023 Foundry Security Priorities Study. Now in its 8th year, it examines the role of security leaders, the challenges they face, and, of course, what their security priorities are for the coming year. This year’s study collected insights from nearly 800 security leaders around the globe and provides a unique perspective into the role played by the chief security officer.
It has never been more challenging to be a chief information security officer. But it has also never been a more important role to successfully manage business risk. Over the past year in the United States alone, we’ve seen new regulations from the US Securities and Exchange Commission (SEC) as they focus on how security risks materially impact business performance. Despite this, only 30% of this year’s respondents said that they have a process to determine whether a security incident constituted a material event, although another 30% are developing such a process. More recently we’ve seen new regulations from the state of New York and other state-level bodies that seek to exercise even greater control over how businesses manage their cyber risks. For the CSO, 2023 has proven to be a wakeup call that has finally shown the true personal risks that CSO’s face.
The board of directors – better alignment but more to come
CSOs reporting to the board of directors jumped to 25% – up from 20% last year – and 85% of CSOs are reporting regular engagement with their board of directors, with nearly half reporting engagement at least monthly. At the same time the number of CSOs who have little to no engagement with their board of directors has fallen to 15%. On the surface these numbers may appear good, yet only 46% report any level of cyber expertise on their board of directors and that can prove to be a major challenge. Managing cyber risk is not for the faint of heart nor for those without expertise in the area. Since 2011, when the NACD first issued guidance around this issue, there has been a drive to invest boards with greater levels of cybersecurity expertise. Twelve years later we’re still seeing mixed results.
Regulations – driving investment but lagging results
As the study has found in years past, a large number of security leaders believe they are falling short in managing their risks. They most often find it difficult to convince all the parts of their organizations of the severity of the risks that they face. Despite rising budgets, they believe that they’re still not investing enough resources (budget, people, technologies, etc.) to address the risks that they face, and they struggle to find, acquire, and/or retain the technical or professional expertise that they need.
Budgets – going up
But at the end of the day the most telling metric as to how organizations perceive the importance of investing in security is budget. Forty-three percent of this year’s respondents will have increased budgets next year. Only 2% expect budgets to decline – the smallest number indicating decline in the history of the study. Some leading areas where there will be increasing investment: zero trust technologies cyber risk insurance and customer identity and access management. They expressed the most interest in future spending around zero trust, SASE, deception technology, and XDR. To learn more about what’s on the horizon for security leaders in 2024, view our blog highlighting the adoption of AI and cyber risk insurance here.
Technical debt
Security leaders continued to saddle themselves with technical debt. And as a CISO once noted to me, ransomware is the technical debt collector. When asked about their acquisition and retirement of security tools the typical organization was retiring 2+ security tools per year, but they were also acquiring 3+ tools during that same time. In conversations with CISOs I consistently hear an understanding of the risks from technical debt, but I also hear the challenges they have around moving to platform-centric solutions that may integrate better but provide less efficacy. The industry needs to find a way to move beyond its reliance on best of breed solutions to a more proactive approach to managing cyber risks.
Final thoughts
As an observer of this market for the past 21 years I’ve witnessed security leaders mature to address any challenge that faced them. But the changes we’re witnessing over the past few years are transformational. CSOs are now business leaders who are well versed in technology as opposed to technology leaders that struggle to understand the business, and we’re seeing that reflected in the findings of this year’s study. But challenges remain:
- The expectations of the business, given the evolving role of the CSO, can easily create a chasm between what security leaders can deliver and what is expected of them.
- Technology challenges continue to complicate the landscape from the growing number of tools and level of technical debt that businesses carry.
- While budgets continue to grow the options for offloading risk are becoming more expensive which creates challenges, particularly for small and medium businesses.
The big thing to watch over the next year will be how third parties – regulators, insurers, and business partners – impact the way businesses address their risks and types of security solutions they adopt. The risk is that their mandates will shift resources away from the most pressing security issues identified by CSOs in order to meet the demands of those third parties, creating risk gaps that will be targeted for exploitation. I’ll also be watching how aggressively regulators go after businesses and their CSOs in the wake of security lapses.
