Despite a hard economic climate, heightened global tensions and new technology making cybercrime easier, most, 76 per cent of the CISOs taking part in an annual survey, suggested that no material breaches had occurred to them; and 60pc said that no material cyber security incident had occurred in the past 12 months. Yet CISOs on average rated their organisation’s overall security posture lower than they did over the previous year. These were among findings from an Information Security Maturity Report, published by ClubCISO with Telstra Purple.
Last year, 46pc rated themselves as above average (giving themselves at least ‘four out of five’ stars) while this year, only 38pc rated themselves the same. About one in eight, more than 13pc of respondents don’t feel confident that their organisation will be able to meet key security objectives – an exact repeat of last year’s result.
While not directly linked, the disparity between falling material breaches and incidents and overall security postures might partly be explained by the positive cultural gains that CISO have observed, the report authors suggested. Some 80pc of respondents said they believed that their organisation’s security culture has improved to some degree in the last year. And when asked about the most important factors affecting these cultural improvements, 60pc stated that leadership endorsement was a major influence.
As for that culture in more detail, proactive ‘report it’ no-blame policies (41pc), simulated phishing (38pc) and tailored training (37pc) remain as the other key drivers of security culture. However, they did score lower than the previous year, perhaps showing reduced impact due to them becoming more of a well-established part of security culture.
Advisory Board Member, Jessica Barker, said: “Our findings this year acknowledge the crucial role that leadership endorsement plays in security culture. Cyber security has been rising up on the corporate agenda for a few years now, but this stronger alignment between security teams and senior leadership is very encouraging progress. Without tone (and resource) from the top, building a healthy security culture will always be more challenging.”
Compared to the year before, 67pc of CISOs cited stronger alignment with the executive team (compared with 59pc in 2022) and 54pc with the board (against 49pc in 2022). On the threat landscape, most members (72pc) responding to the survey now have cyber security insurance. However, the issue remains a divisive one, with some 15pc not wanting insurance and not believing in the benefits.
Rob Robinson, Head of Telstra Purple EMEA, sponsors of the ClubCISO community added: “The results from the members survey reinforce what we’ve been seeing in the market for some time now – security strategies need to be built around people to be truly effective. It seems that the decline in material cyber breaches is linked to the people and cultural improvements – a huge 80pc of CISOs suggested that their organisation’s security culture had developed positively over the last year. The fact that leadership endorsement is also being highlighted as a critical factor for establishing an effective security posture also recognises the progress CISOs have made at the very highest levels of business. Strong security is now clearly seen as a key corporate capability and that is in large part due to the voice CISOs have developed at the C-level.”
