With the increase in cybersecurity threats in recent years and more awareness of security breaches, security leaders and their C-level peers are in the spotlight more than ever when it comes to protecting their organizations. Security is now top of mind at the Board level, and CISOs are thinking more holistically about risks to the enterprise.
In their ebook about employees and cyber bait, Gartner reports that 85% of data breaches involve a human element. To help protect the organization, CISOs have to call upon their abilities to influence, educate and communicate about security risks across the enterprise.
In our 2022 Leadership Perspective Survey, the number one goal across the organization for CISOs is to reduce risk. Here, we take a closer look at their functional security goals, based on responses from more than 1,000 CISOs in Evanta communities around the world.
Top Priorities for CISOs
CISOs from leading companies report that their top priority for 2022 is cloud security, strategy and architecture, followed by third-party risk management and measuring and communicating risk. The latter two initiatives are so close that they have traded the #2 and #3 spots in the past several weeks. In fact, aside from that change, the top five priorities for CISOs are identical to last year.
Advancing Cloud Security, Strategy & Architecture
In our annual survey, we also ask CISOs about the goals and challenges to making progress on their top initiatives -- in this case, cloud security, strategy and architecture, third-party risk management, and measuring and communicating risk. CISOs primarily cited mitigating risks as their most important goal, while a lack of resources and a lack of skills are causing challenges for security leaders across their objectives.
These are their specific goals and challenges in creating and implementing cloud security, strategy and architecture.
Goals for Cloud Security, Strategy & Architecture
66% Mitigating risks
51% Improving processes and efficiencies
45% Expanding digital business and increasing maturity
Challenges around Cloud Security, Strategy & Architecture
58% Lack of skills
47% Lack of resources
45% Quickly changing landscape
Here is a sample of what executives have told us anecdotally about managing and securing the cloud:
Moving to the cloud allows you to clean up your technical debt. With on-prem[ise], you are able to fully secure your perimeter, but with cloud you need to go deeper into your stack to do this.”
Attacks are becoming more sophisticated and don’t look suspicious. Before the cloud, the risk was data confidentiality, but now it's losing data availability.”
Cloud security depends on hundreds of switches that need to get switched properly. There is room for error.”
CISOs primarily want to learn more about this topic from a strategic perspective (83%), but also from an execution point of view (72%).
Managing Risks from Third-Parties
For their second highest priority of third-party risk management, CISOs reported that mitigating risks (84%) is their primary goal, while they view a lack of resources (47%) as their main obstacle to achieving that goal.
Goals for Third-Party Risk Management
84% Mitigating risks
47% Improving processes and efficiencies
33% Improving metrics & KPIs
Challenges around Third-Party Risk Management
47% Lack of resources
32% Quickly changing landscape
30% Company culture
These are some of the opportunities and concerns we have heard from CISOs about their goal of managing third party vendors and partners:
Many of the recent attacks came from third parties, so it is important for companies to have structures to manage their whole cyber ecosystem. While you can't control the security hygiene of the third party themselves, you can influence how they interact with you.”
We need to find a balance — how do we ascertain a level of protection in IT environments that is sufficient for vendors?”
This issue focuses on both how robust we and our partners are… Organizations find it difficult to demonstrate improvement because it is hard to ensure resilience for your partners.”
CISOs want to discover more about third-party risk management from a strategic perspective (76%), but also how to execute on those strategies (70%).
Communicating Effectively About Risk
The other top priority for security leaders this year is how to measure and communicate risk — particularly to other C-suite leaders and the board. CISOs cited mitigating risks as their top goal, while a lack of resources and company culture were tied for the biggest challenges.
Goals for Measuring & Communicating Risk
72% Mitigating risks
67% Improving metrics & KPIs
50% Making data-driving decisions
Challenges around Measuring & Communicating Risk
41% Lack of resources
41% Company culture
29% Leadership buy-in
CISOs told us their specific concerns around risk measurement and communication, including the following:
What is difficult is quantifying the process of doing this – what is actually important and… how to prioritize beyond the noise. The assurance piece is really key at the moment.”
We are finding that communicating security doesn't always resonate right. We have simplified the communication by building a scorecard with a letter grade, showing areas to work on and where to prioritize activities.”
We are working on how to package all of this information into something the Board can understand and manage.”
CISOs are interested in learning more about this topic from a strategic perspective (72%), and also from a leadership point of view (65%).
What Lies Ahead
Overall, CISOs responding to our survey in 2022 have a clearly defined goal to mitigate risk in their functional area, which mirrors their top enterprise goal of reducing risk. Their biggest challenge in reaching that goal is a lack of resources, followed by a lack of skills. This suggests that security leaders are still working to measure and articulate the true cost of keeping their organizations secure.
As one CISO put it, there are both financial risks and reputational risks to the organization, but “how do people quantify reputational risk?” CISOs today must “get the reputational risk quantified in a fiscal amount.”
Another security leader noted that there is more awareness of security threats in the current environment, putting more pressure on the CISO to provide context to these threats for the Board and senior leaders. This CISO said, “Stakeholder assurance has never been so key. They are more sensitive to the events globally and their impact.”
This suggests that CISOs need to exercise leadership skills outside of their security and technology expertise – such as communicating effectively and managing organizational change. As one CISO noted about their cloud journey: “The technology is not complicated. It's the change management that's been tough. We had to get the security team to think differently... They're not just responsible for installing tools.”
CISOs are at different stages of their cloud journeys and report that increasing maturity and security are highly important. They are driving their functional initiatives forward, like cloud security, strategies and architecture, while taking a broader role in managing and communicating about risks to the organization.
While CISOs want to be proactive and prepared for what’s next, there are challenges to being forward-looking in such a quickly changing environment. As one noted, “Moving to the cloud in a secure way is a huge priority for us… but what the goals will be in 3 years?”
The changing landscape and increase in cybersecurity threats offers opportunities for CISOs to collaborate and learn from their peers. If you want to talk about what’s next for security leaders, Evanta offers regional communities of CISOs that meet both in person and virtually throughout the year. Join them to discuss the mission-critical priorities addressed in this survey report. Click here to find an opportunity to connect with your community.
Based on more than 1,000 CISOs’ responses to Evanta’s 2022 Leadership Perspective Survey.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.
