The following is based on an industry study conducted by the Avertro team in mid-2021.
The most cyber resilient organisations have highly effective, engaged, empowered cybersecurity leaders. Every organisation’s goal should be to hire a Chief Information Security Officer (CISO) or equivalent that has the capability to do just that.
Unfortunately, organisations that hire the most capable CISOs can sometimes still not be cyber resilient. If a good cybersecurity leader is not properly supported by the board and organisational leadership, they stand little to no chance.
To give a cybersecurity leader the best shot at being successful, organisations must drive a strategic, transformational approach instead of a compliance-centric one, have a board and C-suite that is accountable and empowered to address cyber risk, and create an operating model where the cybersecurity function reports to the business.
Key findings from the study:
- Most organisations in the study still consider cybersecurity to be a technology function - 68.3% of cybersecurity teams report to a technology executive.
- Almost half of the organisations in the study take a compliance-driven approach to cybersecurity - 46.3% take a compliance-driven approach, while 53.7% take a strategic, transformational approach.
- Organisations with a strategic approach to managing cyber risk have CISOs that are more able to make quick, effective cyber leadership decisions - 73.9% of CISOs within organisations that take a strategic approach are able to make quick, effective decisions, contrasted with 72.2% of CISOs within organisations that take a compliance-driven approach being unable to do so.
- Organisations that take a strategic approach to cyber are much more likely to have senior leadership take accountability for cyber risk - 90.9% of organisations taking a strategic, transformational approach to cybersecurity have boards and C-suites that are accountable for cyber risk.
- CISOs are almost twice as likely not to be able to make quick, effective cyber leadership decisions when reporting into a technology executive when compared to peers who report to a business executive - 10% of CISOs are rarely able to make quick effective cyber leadership decisions when reporting into a business executive, compared to 17.9% when reporting into a technology executive.
- Organisational culture is less of a key challenge for CISOs who report to a business executive when compared to peers who report to a technology executive - Organisational culture is cited as a key challenge 10% of the time for CISOs who report to a business executive, compared to 23.7% of the time for CISOs who report to a technology executive.
- Cybersecurity leaders believe that board and C-suite accountability for cyber risk is high - Only 12.2% believed their board and C-suite did not take accountability for cyber risk.
- Organisations where senior leadership is accountable for cyber risk are more likely to take a strategic, transformational approach to cybersecurity - 55.6% of organisations with senior leadership accountability for cyber risk take a strategic approach, compared to only 40% when there is no senior leadership accountability.
- CISOs of organisations where senior leadership does not take accountability for cyber risk are not able to make quick effective cyber leadership decisions - 60% of cyber leaders are rarely or only sometimes able to make quick effective decisions in organisations where there is no accountability for cyber risk at the board or C-suite.
- The top challenge for CISOs when requesting funding for strategic and transformational initiatives is a lack of understanding by key decision-makers - The key challenges in order are: lack of understanding by key decision-makers (53.1%), organisational culture (34.4%), bureaucracy (31.3%), reporting lines (21.9%), resistance to change (15.6%).
- Government organisations are far too compliance-driven when it comes to managing cyber risk - 75% of government organisations in this study were compliance-driven.
- Despite their best efforts, CISOs of government organisations are hindered in their ability to make quick effective cyber leadership decisions - 100% of government CISOs in this study stated that they were only rarely or sometimes able to make quick effective cyber leadership decisions.
For access to the full report, visit our Reboot Cyber page.