Cybersecurity Chronicles: CISO Priorities Unveiled

As guardians of digital assets and stewards of organizational resilience, CISOs must navigate a complex web of priorities, ranging from enhancing risk posture to embracing emerging technologies. Based on the CISO Priorities Survey 2024, this cover story provides invaluable insights into this shifting paradigm, with over 560 security decision-makers sharing their perspectives. The story delves into the top priorities, challenges, and strategies shaping the cybersecurity landscape, offering valuable insights into the evolving role of CISOs in navigating these turbulent waters

Emerging from over three years of the COVID-19 pandemic, the landscape in which Chief Information Security Officers (CISOs) operate has irrevocably changed. Cybersecurity has transcended its traditional IT roots to become a distinct functional area of the business, essential for delivering broader business outcomes. Organizations increasingly recognize the pivotal role cybersecurity plays in enabling success across all facets of the business, from safeguarding sensitive data to fostering customer trust and driving innovation. As a result, the future role of the CISO has never been more vital.

The CISO Priorities Survey 2024 offers a comprehensive insight into the evolving cybersecurity landscape, providing a nuanced understanding of the shifting priorities, challenges, and investment strategies of CISOs. With responses from over 560 security decision-makers across various industries, the survey delves into key areas such as budget allocations, outsourcing trends, board engagements, talent management, and the adoption of emerging technologies.

In this cover story, we embark on a detailed analysis of the CISO survey findings, shedding light on the strategic imperatives shaping the cybersecurity landscape. From navigating budgetary constraints to harnessing the power of Artificial Intelligence (AI) for cyber defense, CISOs are at the forefront of driving organizational resilience in the face of evolving cyber threats. Through proactive strategies and a holistic approach to cybersecurity, organizations can align their security initiatives with broader business objectives, ensuring sustainable success in an increasingly digital world.

Enhancements to Risk Posture based on Cyber Roadmap is the Top CISO Priority

Top cybersecurity priorities over the next 12 months

1. Ongoing improvements in risk posture based on cyber roadmap
2. Modernization of technology including cyberinfrastructure
3. Optimization of current security technology and investments
4. Expansion of threat detection capabilities and solutions

At the heart of CISO priorities lies the ongoing quest to enhance risk posture based on a robust cyber roadmap. Over two-third (68%) of surveyed CISOs prioritize ongoing enhancements to their risk posture based on a cyber roadmap, signaling a strategic commitment to adaptability and resilience in the face of evolving threats. Additionally, 50% emphasize the modernization of technology, including cyber infrastructure, recognizing the importance of staying ahead with updated tools and systems. Furthermore, 45% focus on optimizing current security investments, while 44% emphasize expanding threat detection capabilities and solutions.

The findings reveal a multi-faceted approach to addressing cybersecurity challenges, with a clear emphasis on enhancing risk posture through ongoing improvements based on a cyber roadmap. This priority underscores a strategic focus on continuous evaluation and refinement of security strategies to adapt to evolving threats effectively. Simultaneously, the prioritization of modernizing technology, optimizing current security investments, and expanding threat detection capabilities reflects a comprehensive strategy aimed at bolstering the organization’s overall cybersecurity resilience. Such priorities signify a recognition of the dynamic nature of cyber threats and the need for agile, proactive measures to safeguard digital assets and maintain operational continuity in an increasingly complex threat landscape.

Zero Trust Principles Dominate CISOs’ Cybersecurity Investments

Top cybersecurity areas to drive investments

1. Adoption of zero-trust security principles
2. Enhancement of incident response and recovery processes
3. Proactive threat intelligence and threat-hunting capabilities
4. Deployment of cloud security solutions and services
5. Implementation of advanced data protection solutions
6. Integration of security automation and orchestration tools

52% of surveyed CISOs prioritize the ‘Adoption of Zero Trust security principles’ as their foremost cybersecurity investment focus. Additionally, 40% of CISOs each prioritize ‘Enhancing incident response and recovery processes,’ ‘Proactive threat intelligence and threat-hunting capabilities,’ and ‘Deploying cloud security solutions and services.’ Moreover, 36% of CISOs each prioritize ‘Implementing advanced data protection solutions’ and ‘Integrating security automation and orchestration tools’ as their primary investment areas.

The survey findings highlight a nuanced approach to cybersecurity investment, reflecting a diverse set of priorities aimed at fortifying organizational defenses. The emphasis on adopting zero-trust security principles by a majority of CISOs underscores a paradigm shift towards a more proactive and granular security model. Additionally, the widespread focus on enhancing incident response, threat intelligence capabilities, and cloud security solutions reflects a recognition of the evolving threat landscape and the need for robust defenses across multiple fronts. Moreover, the prioritization of advanced data protection and security automation tools signifies a concerted effort to safeguard sensitive data and streamline security operations in an increasingly complex digital environment.

Decentralized Infrastructure and Talent Shortages are Key CISOs’ Concerns

Top barriers while addressing cybersecurity challenges

1. Decentralized IT and security infrastructure and operations
2. Shortage of skilled staff/lack of appropriate skill sets
3. Legacy infrastructure and solutions to address emerging threats
4. Technology/product/solution didn’t live up to the expectations

Nearly half (48%) of surveyed CISOs identified decentralized IT and security infrastructure and operations as their primary barrier to addressing cybersecurity challenges in the past 12 months. Following closely, 44% cited a shortage of skilled staff or lack of appropriate skill sets as the second-largest challenge. Additionally, 40% of respondents each cited challenges related to legacy infrastructure and solutions, as well as instances where technology, products, or solutions fell short of expectations.

The findings shed light on the primary challenges faced in addressing cybersecurity concerns over the past year. The prevalent issue of decentralized IT and security infrastructure underscores the complexity of modern organizational landscapes, where disparate systems and operations pose significant hurdles to cohesive security management. Additionally, the shortage of skilled staff reflects a persistent industry-wide struggle to recruit and retain talent capable of navigating evolving cyber threats effectively. The significant concerns surrounding legacy infrastructure and unmet technology expectations highlight the need for agile, adaptive solutions that can adequately address emerging cybersecurity challenges while aligning with organizational needs and expectations.

“We must critically evaluate the practicality and relevance of cybersecurity courses in universities to ensure graduates are adequately prepared for the evolving cyber landscape,” says Dr Fene Osakwe, Council Member, Forbes Technology & Cyber Security Mentor, Springboard.

Cyber Career Pathways Take Center Stage in CISO Priorities

Top strategies to engage, retain, and develop security talent

1. Specialized career path
2. Training and certification programs
3. Rotational roles/internal mobility
4. Attractive monetary compensation
5. Flexible/hybrid working options

The findings reveal diverse strategies to engage, retain, and develop security talent, with a clear emphasis on specialized career paths as the top priority for 56% of respondents. This highlights a growing recognition of the importance of providing clear progression opportunities and skill development pathways within the security field.

Additionally, training and certification programs are valued by 48% of CISOs, indicating the significance of ongoing learning and professional development in retaining talent. Rotational roles and internal mobility, favored by 36%, offer employees diverse experiences and opportunities for growth. While monetary compensation and flexible working options also hold appeal, the emphasis on career advancement and skill enhancement underscores the critical role of professional development in talent retention within the cybersecurity domain.

Further, the findings reveal a mixed picture regarding changes in security team size within organizations. While almost 45% report an increase in team size by 10% or more, with a notable 20% experiencing growth of 11-30%, a majority of CISOs (52%) indicate that their team size has remained unchanged.

This variation in team size adjustments may reflect differing organizational responses to evolving cybersecurity threats and priorities. Factors such as increased awareness of cyber risks, regulatory requirements, and the growing complexity of IT environments could drive organizations to invest in expanding their security teams. Conversely, other organizations may prioritize optimizing existing resources or leveraging technology solutions to enhance security capabilities without significant changes in team size.

CISOs are Embracing GenAI for Cyber Risk Management

Nearly half (48%) of surveyed CISOs plan to implement GenAI for cyber defense within the next 12 months. Additionally, a substantial 44% are already utilizing GenAI for cyber risk detection and mitigation. Among these users, 24% report experiencing tangible benefits to their cyber programs. However, 8% express dissatisfaction, citing a lack of significant benefits despite already implementing GenAI.

The findings underscore a growing reliance on GenAI technology for cyber defense. This indicates a widespread recognition of the potential of AI-driven solutions to enhance cybersecurity measures. The significant portion already using GenAI for risk detection and mitigation, along with a subset experiencing tangible benefits, highlights the efficacy of these tools in bolstering cyber programs. However, the minority reporting no significant benefits suggests that while the technology holds promise, successful implementation may require fine-tuning or more tailored integration to fully realize its potential across diverse cybersecurity environments.

While GenAI offers exciting possibilities for innovation and efficiency, it also presents new vulnerabilities and security risks. CISOs must carefully assess the implications of integrating GenAI into their systems to safeguard sensitive data and mitigate potential threats. By adopting a cautious approach, CISOs can proactively tackle security concerns and develop strategies to protect their organizations. It’s crucial for CISOs to stay informed about AI technology advancements and collaborate with their teams to implement robust security measures aligned with their organization’s needs.

The rapid evolution of artificial intelligence brings forth various security challenges. From data breaches to ethical dilemmas in AI decision-making, the landscape is complex. A key concern is the potential manipulation or bias in AI systems, leading to discriminatory outcomes. Ensuring fairness and transparency in AI algorithms is essential. Additionally, interconnected AI systems raise fears of large-scale cyber attacks and threats to critical infrastructure. Protecting against such risks demands robust cybersecurity measures and constant vigilance. Moreover, managing vast amounts of data processed by AI systems poses challenges in data privacy and protection.

CISOs can tackle these challenges by deploying AI-powered security solutions to detect and respond to breaches effectively. Fostering a cybersecurity-aware culture among employees through training and communication is vital. Collaboration with AI experts and staying updated on AI developments are also crucial for devising defense strategies against potential cyber threats. By understanding how AI technologies can be exploited by cyber attackers, CISOs can proactively devise robust defense strategies. In summary, addressing security challenges in GenAI requires a multifaceted approach involving advanced security solutions, awareness campaigns, and staying informed about AI advancements.

Cloud Security & Application Security Top Outsourcing Priorities

 The findings underscore a notable trend towards outsourcing cybersecurity functions to managed security service providers (MSSPs), with a significant 40% already leveraging external expertise in this realm. Additionally, the prospect of outsourcing is appealing to 32% of CISOs who are considering such a move shortly.

This growing inclination towards outsourcing can be attributed to several factors, including the increasing complexity of cyber threats, the shortage of skilled cybersecurity professionals, and the need for specialized expertise and round-the-clock monitoring. By outsourcing certain functions to MSSPs, organizations can access advanced capabilities, enhance their cybersecurity posture, and alleviate the burden on internal resources, allowing them to focus on core business objectives. However, the 28% of CISOs who opt not to outsource may prioritize maintaining control over sensitive data or prefer in-house expertise tailored to their specific needs and requirements.

Top cybersecurity tasks CISOs are outsourcing

1. Cloud Security
2. Application security
3. Security operations center
4. Forensics/legal support
5. Infrastructure security
6. Cyber threat risk assessments
7. Security events/audit-log analysis and reports

The results paint a clear picture of the cybersecurity tasks most commonly outsourced or likely to be outsourced to managed security service providers (MSSPs). Cloud security emerges as the top priority, with a majority of 56% of CISOs opting for outsourcing in this area. This trend is unsurprising given the complexity and specialized nature of cloud security requirements, coupled with the rapid adoption of cloud technologies.

Additionally, the significant outsourcing of application security by 36% of CISOs reflects the need for expert oversight in safeguarding critical software assets. Tasks such as security operations center management and forensics/legal support follow closely, indicating a recognition of the benefits of outsourcing these specialized functions to external partners. This strategic allocation of responsibilities allows organizations to tap into specialized expertise, enhance operational efficiency, and bolster their overall cybersecurity posture.

Divergent Confidence Levels in Cybersecurity Breach Response

The findings highlight a notable discrepancy in confidence levels regarding the ability to quickly identify and secure cybersecurity breaches within organizations. While a majority, constituting 56% of respondents, express confidence in this capability, a significant 32% admit to being either unsure or not very confident. Moreover, only 12% of CISOs report feeling very confident in their organization’s readiness to handle cybersecurity breaches promptly.

This variance in confidence underscores the multifaceted nature of cybersecurity preparedness, which is influenced by factors such as the complexity of cyber threats, the efficacy of detection and response mechanisms, and the level of investment in cybersecurity resources and training. Addressing this disparity requires a holistic approach, encompassing continuous improvement of detection and response capabilities, robust incident response planning, and ongoing cybersecurity awareness and training initiatives across the organization.

Further, the results reveal a nuanced perspective on the confidence levels in the cybersecurity practices of third-party security service providers. While a majority, comprising 52% of respondents, express some level of confidence, a notable 12% admit to feeling not very confident in these practices. Interestingly, only 36% of CISOs report being very confident in the cybersecurity practices of their third-party providers.

This variation in confidence levels underscores the importance of diligent vetting and ongoing monitoring of third-party vendors’ security protocols. Concerns are stemming from factors such as the lack of transparency or visibility into vendor security measures, instances of data breaches or security incidents involving vendors, and evolving regulatory requirements governing vendor risk management. To address these concerns and build greater confidence, CISOs should prioritize robust vendor risk management frameworks, regular assessments, and clear communication channels with third-party providers.

Cyber Insurance Gains Major Traction as CISOs Look to Mitigate Risk

Plans for cyber insurance?

The outcomes unveil a growing recognition of the importance of cyber insurance as a crucial component of organizational risk management strategies. While 36% of respondents already have cyber insurance in place, a significant majority of 52% are actively considering purchasing cyber insurance for their organizations.

This trend reflects a heightened awareness of the evolving cyber threat landscape and the potential financial ramifications of cyber incidents. Cyber insurance offers a safety net against the increasing frequency and sophistication of cyberattacks, providing financial protection for costs related to data breaches, business interruptions, and regulatory fines. The relatively low percentage of 12% of CISOs without cyber insurance underscores the need for greater education and awareness about the benefits of this coverage, particularly as cyber risks continue to escalate in complexity and severity.

Over 56% of CISOs Anticipate Cybersecurity Budget Increases

The outcomes reveal an upward trajectory in cybersecurity budgets underscoring a heightened awareness of the escalating cyber threats facing organizations. Over 56% of respondents anticipate an increase in cybersecurity budgets by more than 10%; of this, 16% expect substantial growth of 30% to 50%. With cyberattacks growing in sophistication and frequency, allocating substantial resources to bolster cybersecurity defenses has become imperative.

On the other hand, 40% of CISOs foresee budgets remaining stagnant. This variance in expectations reflects the diverse challenges and priorities facing organizations in allocating resources for cybersecurity initiatives. Factors such as the proliferation of remote work, the expansion of digital footprints, and stringent regulatory requirements further amplify the need for robust security measures. However, competing budgetary priorities, resource constraints, and uncertainties surrounding economic conditions are contributing to the sizable proportion of CISOs expecting budgetary stagnation. Balancing the need for robust cybersecurity measures with fiscal prudence remains a key challenge for organizations in the coming year.

Further, the findings highlight that a notable 52% of CISOs report dedicating 11% or more of their overall IT budget to cybersecurity, with a significant 16% allocating a substantial 21-30% specifically for security initiatives. This allocation reflects a recognition of the critical importance of cybersecurity in modern business operations and the escalating cyber threats faced by organizations.

However, a sizable portion, comprising 40% of respondents, allocate a more moderate 6-10%, while 8% allocate a comparatively lower 5% or less to the security budget. This variance in allocation underscores differing organizational priorities, risk appetites, and budget constraints, highlighting the need for a balanced approach in resource allocation to effectively address cybersecurity challenges while optimizing overall IT expenditure.

“While the allocation for security budgets is increasing due to the recognized importance by the board, customer experience and digitalization also receive significant attention,” says Abhijit Chakravarty, Senior Vice President of Core Network & Security Operations, HDFC Bank.

CISOs Split on Satisfaction with Cybersecurity Budgets

Does the cybersecurity budget meets the expectations of the security team?

The outcomes reveal a significant divergence in perceptions regarding cybersecurity budget allocations within organizations. While a majority, comprising 52%, express satisfaction with the security budget allocation, a notable 44% of CISOs feel that the budgets only barely meet expectations and requirements. This disparity in satisfaction levels underscores the challenges faced by organizations in effectively allocating resources to address cybersecurity needs adequately.

Factors such as evolving cyber threats, increasing regulatory requirements, and the need for investment in advanced security technologies contribute to the heightened expectations among security teams. However, competing budgetary priorities, resource constraints, and the difficulty in quantifying the return on investment in cybersecurity initiatives result in perceived inadequacies in budget allocations. Striking a balance between budgetary constraints and the imperative to strengthen cybersecurity posture remains a key challenge for organizations.

Cybersecurity Occupies Major Mindshare among Board Members

How frequently does Board address/engage in cyber-related issues?

The findings shed light on the frequency with which cybersecurity issues are addressed by organizational boards. A significant 36% report that cybersecurity occupies a monthly slot on the board agenda, indicating a proactive stance towards addressing cyber-related concerns at the highest levels of governance. However, a majority of 56% reveal that their boards address cybersecurity matters quarterly, suggesting a more periodic approach to addressing these issues.

This variation in frequency may reflect differing organizational priorities, risk appetites, and board compositions. Factors such as the evolving cyber threat landscape, regulatory requirements, and recent high-profile cyber incidents likely influence the frequency of board engagements on cybersecurity matters. Ultimately, ensuring regular board engagement on cyber-related issues is crucial for fostering a robust cybersecurity posture and aligning organizational strategies with evolving cyber risks.

CISOs Prioritize Monthly Cybersecurity Awareness Training for Employees

A significant majority, comprising 52% of respondents, indicate that their organizations conduct these trainings every month. This frequent cadence reflects a proactive approach to ensuring that employees remain vigilant and well-equipped to recognize and respond to evolving cyber threats. Additionally, 24% of organizations opt for quarterly training schedules, while 16% conduct training annually.

However, 8% of organizations without any scheduled training regimen may be missing out on opportunities to cultivate a strong security culture and mitigate the risk of human error-related cyber incidents. Continuous and regular cybersecurity awareness training is essential in fostering a resilient security posture, enhancing employee awareness, and safeguarding against potential cyber threats.

“Over 80% of cybersecurity breaches stem from user actions, underlining the need for organizations to prioritize user readiness and awareness,” says Jenny Tan, President, ISACA Singapore Chapter.

Further, the outcomes underscore a strong commitment to cybersecurity awareness training within organizations, with a significant majority of 76% reporting that such training is mandatory for all employees. This reflects a recognition of the critical role that employees play in maintaining a robust cybersecurity posture and mitigating the risk of cyber threats. By making cybersecurity awareness training mandatory for all employees, organizations are ensuring that every individual understands their role in safeguarding sensitive information and detecting potential security incidents.

Moreover, the 16% of organizations mandating training for some employees may reflect a targeted approach based on job roles or access levels requiring heightened security awareness. However, the 8% of organizations offering optional training are missing out on the opportunity to cultivate a comprehensive security culture across the entire workforce, potentially leaving gaps in overall cybersecurity readiness.

CISOs Eye Broader Business Roles in Career Evolution

CISO’s aspirations

The findings shed light on a significant shift in CISOs’ career aspirations and the evolving nature of their roles within organizations. A majority, comprising 56% of respondents, express a desire to move on from their current positions or broaden their responsibilities to encompass more business-oriented roles. This trend reflects a growing recognition among CISOs of the need to align security initiatives with broader business objectives and priorities.

Interestingly, 32% of CISOs are willing to broaden their roles to become business leaders in the area of trust, encompassing security, risk, and compliance—a testament to the expanding scope of responsibilities within the cybersecurity domain. Additionally, 12% aspire to transition into a CIO role or take on other technology leadership positions, indicating a desire for career advancement and greater influence in shaping organizational strategy and technology initiatives. This trend underscores the evolving role of the CISO from a purely technical function to a strategic business enabler, highlighting the importance of integrating security considerations into overall business decision-making processes.