In a survey of 73 cross-sector and anonymous CISOs in May, the ClubCISO group found a mixture of positive and negative news.
On the positive front, the report found that security awareness training programmes are more frequent, that there's increasing interaction with senior executives as well as more independent information security budgets, while security staff retention increased by 33 percent year-on-year.
However, it also details numerous areas for improvement. For example, security bods complained that infosec is still seen as tick box exercise (only 34 percent regard it as an essential business function), and that it remains a subset of IT. Meanwhile, some see a reluctance to implement SIEM solutions, and there are problems with DLP and cloud security management, as well as falling confidence in BYOD programmes.
Compliance was generally seen as reactive and incident driven, while security testing and confidence in third-party suppliers were other considerable conundrums for security chiefs.
In the supply chain, there was a marked decrease in background checks on staff. The initial level fell from 40 percent (2014) to 23 percent, although ‘repeatable' and ‘defined' checks increased from 12 percent each to 23 percent and 20 percent respectively.
“The issue we have is with suppliers of suppliers of suppliers,” said one unnamed CISO. “The biggest three breaches in the last 12 months have all involved third parties,” added another.
Asked how security of supply chains was assessed, audits and inspections were only common amongst 14 percent of those surveyed, with most relying on ad-hoc processes and paper questionnaires.
Many CISOs have concerns that there are too many large suppliers dictating the assessment process.
Phil Cracknell, chairman and founder of ClubCISO, told SCMagazineUK.com that supply chain issues, first keenly felt by financial service providers, are now hurting all firms.
“The supply chain security issue is one that all service providers must address, no matter how small.
“The main reason for this is because it is becoming increasingly difficult for larger organisations to ‘overlook' weaknesses in a suppliers' security as they have previously due to regulations and legislation pushing the responsibility to the organisation to be sure its' suppliers are secure.
“Furthermore, as we move more to cloud and outsourced technology offerings and data processing services, this transition will be hampered by unacceptable levels of security from these suppliers.”
Board issues remain
Elsewhere the ClubCISO report indicates that the uneasy truce between security and the board remain, although some CISOs reported they were being invited to more non-security related board meetings. That said, this was rare and never happens for half of those polled.
CISOs said that a focus on better metrics, such as data breach cost and business impact, would “significantly improve the board's ability to manage risk.”
More positively, there has been a clear trend towards information security having its own budget. The number who do not has dropped from 26 percent to 10 percent, although two-thirds of CISOs said that their budgets had fallen over the last year (some said this was because running fewer projects).
CISOs exposed on two fronts
“CISOs say their organisations are exposed on two fronts: poor data loss prevention (DLP) leads to more incidents, and poor breach response planning means more of those incidents could become critical,” reads the executive summary from the report.
“Much security management remains too reactive. Logging, training and enforcement are often driven by specific security events, and organisations remain reluctant to implement full security incident and event management (SIEM).
The report further notes that security managers are suspicious of marketing-led threat reports, especially with time a precious commodity as their roles now entail everything from people and third-party management to dealing with regulators, legislation and brand protection.
Reporting lines continue to vary, although most CISOs in the report believe they should report directly to the board.
When asked if their firm has suffered a data loss incident in the last year, ‘not aware of one' rose from 19 percent to 33 percent while ‘no' dropped significantly from 14 percent to 8 percent.
“In other words, only two-thirds of CISOs polled remain confident they have not suffered data loss incidents,” says the report.
Of those who had been breached, more than 20 percent cited insiders as the reason with a similar percentage saying it was ‘our fault'.
Cracknell has one word of caution, with EU's General Data Protection Regulation looming: “Start educating your board on the need for cyber-breach response and incident response planning. Do so while you are not in crisis and do so before legislation makes you.”
Independent cyber-security consultant Amar Singh, founder of Give01Day, said the report carried no surprises.
“This survey seems to support mine and other opinions that most organisations remain greatly unprepared to detect and more importantly swiftly respond to a cyber-attack.”
He added that supply chain management remains a “major concern” as more firms outsource “low-level, boring tasks”, before noting that CEOs “do not appear to be recognising the importance of the CISO or equivalent” and thus still hold CIOs and legal counsels accountable for cyber-security.
“Cyber-security is the responsibility of all stakeholders and the CEO of an organisation needs to make that clear. Cyber-security is a business risk not an IT risk - treat it as a business challenge not an IT add-on.”
Some of the report's key points are listed below:
- CISOs have ‘marginally more confidence' in the maturity of their cloud security strategies compared to a year ago. Those ranking their strategy as ‘managed', the second highest rating, increased from five percent to 15 percent.
- CISOs have less confidence in their BYOD security strategy. 67 percent of respondents rated their mobile strategy and operations on the two lowest levels of the Capability Maturity Model (CMM) scoring.
- Security awareness training is on the up – 42 percent said they did this ‘frequently' compared to 21 percent a year ago. ‘Never' fell from 21 percent to four percent.
- 38 percent of CISOs have no remit over business continuity or disaster recovery
- 11 percent of CISOs now report to the board
- Over 80 percent of UK businesses do not have a breach response plan.
- 38 percent of organisations regard security as a business enabler, although the perception of security as a cost centre fell from 81 percent to 62 percent.