Most CISOs in a survey think that cybersecurity breaches are inevitable, according to the CISO Chief Information Security survey 2018, by PAC on behalf of the cyber security product company Kaspersky Lab.
CISOs find themselves having to fight for budgets every year, because, regardless of the amount of money spent on security, there will always be the risk of a security breach happening. Another approach by senior management is to include the IT security budget in the IT budget; meaning that IT security has to compete with IT operations. Although most CISOs do not report to IT anymore, if things go wrong IT is the first department to be informed.
The study found that only 26pc of CISOs surveyed are members of the board and only 25pc of those not on the board think they should be. The CISO should embrace lines of business (LoBs), the study suggested.
Maxim Frolov, VP Global Sales, at Kaspersky Lab, said: “Historically, cybersecurity budgets were perceived as a low priority IT spend, but this is no longer the case. The attack surface of modern businesses is growing, and so too is the frequency and impact of cyberthreats and the cost of cyber incidents. The result is that more and more C-Level executives are now treating IT security as an investment. Today, cybersecurity risks are top of the agenda for CEOs, CFOs and Risk Officers. In fact, a cybersecurity budget is not just a way to prevent breaches and the disastrous risks associated with them – it’s a way to protect business continuity, as well as a company’s core profile investments.”
According to the report, a CISO must know the company’s processes, internal culture, and key employees, and be involved in all projects that might influence the security exposure. Experience on the job leads to more involvement in business decisions, and that for most in cybersecurity, experience is key, it’s suggested. CISOs increasingly hold an MBA in addition to their technical degrees to be able to better understand their businesses’ needs.
Most CISOs surveyed (68pc) hold a master’s degree. The longer the CISOs surveyed have held their position, the more likely they are to have a master’s. It it appears that the minimum qualification for this position has been lowered recently due to a scarcity of talent. A majority, 62pc of the CISOs surveyed find it hard to hire new security talent.
A minority, 46pc of the CISOs surveyed hold any formal professional qualification. The most important professional qualifications are the information security management standard ISO 27001 (although this is not a personal qualification, the CISO as the top security manager plays a vital role in the certification), Certified Information Systems Security Professional (CISSP), and Certified Information Security Manager (CISM).
IT technical expertise is considered the top skill. Cybersecurity expertise is perceived as important, as well as business knowledge. While in the early days of IT security, technical literacy was key – and is still very important – risk management is now a big part of the CISO role. In fact, the CISO is now a cyber risk manager, according to PAC.
As for what those risks are, external consequences are such as reputational loss, financial loss and legal; and internally such as the impact on business continuity.
As for work pressure, IT architectures are becoming increasingly complicated due to technologies and IT layers. The handling of personal data and sensitive information is an increasing source of pressure due to ever stricter regulations such as NIS and GDPR inside the European Union.
Since essentially all business processes depend on IT systems, these security threats can potentially affect a whole company, the report points out.
Methodology
From May until the beginning of July, PAC interviewed 250 IT security decision-makers (CISOs, directors and heads of IT security, and others) in the manufacturing and services sectors, based on a CATI (computer-assisted telephone interview) method.
Download a print version of the report at https://www.kaspersky.com/blog/ciso-report/24288/.
