Report suggests organizations sacrifice client privacy to save money
A report by Bugcrowd finds that 1 in 3 security leaders believe that half of organizations are willing to trade their customer’s privacy in order to save money. By surveying more than 200 security leaders across the globe, the report aimed to better understand the nuanced role of the CISO. Key findings include:
- 91% of security leaders anticipate AI will outpace the capabilities of security teams.
- 56% report that their teams are understaffed, and 87% are currently hiring.
- Due to AI adoption, 70% plan to decrease the headcount on their security teams within the next 5 years.
Security leaders weigh in
Gareth Lindahl-Wise, Chief Information Security Officer at Ontinue:
“This latest report from Bugcrowd is quite insightful, highlighting some very real tensions in the industry, specifically around the CISO role.
“We have had a decade of ‘protect what is valuable’ and the Bugcrowd report highlights the need to move to a focus on ‘protect what will be attacked’. Crowdsourcing and the use of AI to identify real world attacks targets is a good way of organizing your limited resources for the best return.
“As noted in the report, the threat of using AI outpacing the ability to manage them is an uncomfortable truth. The reality is most governance processes can’t keep up, or don’t have the teeth to stop adoption, and there will be a necessary focus on identifying when the issues arise and responding to them.
“Burnout amongst CISOs is something I can relate to from both previous experience and in speaking with my peers. One often finds themselves at the pointy end of the ‘irresistible force’ for business growth (or sometimes survival) against a ‘potential’ risk of something happening. This brings me to another key point in the report. I wonder if the willingness of businesses to take risks does, in some part, fall to a historical failing of security professionals to be able to articulate the likelihood of the risk occurring in a grounded, relatable way.
“I have often seen critical risks dismissed due to a lack of understanding. Depending on the organization, the CISO is a risk advisor. If the facts are delivered in a consumable way, the business may well take a decision to accept elements of the risk — if it is conscious and informed decision making, I think the CISO has done their job.
“Well, that’s the theory — and when the corporate memory fails in the face of an incident and blames the CISO, you reinforce the short tenure and burn out.”
Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens:
“The latest Bugcrowd report reveals a concerning state of cybersecurity. Only 18% of security leaders prioritize “avoiding breaches at all costs”, while more than 30% are striving for the unrealistic goal of “building a ‘security brand’ for competitive advantage”. The best brand promise that an enterprise can offer its stakeholders is that they are “Breach Ready”. Yes, AI is faster, smarter and not susceptible to fatigue and burnout. However, I am convinced that the future lies in Autonomous Cyber Defense, leveraging automation, machine learning and AI.”
George Jones, Chief Information Security Officer at Critical Start:
“The role of the CISO is evolving with today’s CISOs not only responsible for protecting organizational assets but also becoming key players in strategic business decisions. The role often integrates with other executive positions such as Chief Information Officer (CIO) and Chief Security Officer (CSO), reflecting the need for a holistic approach to both digital and physical security.
“The path to becoming a CISO is varied, with many leaders coming from different backgrounds and holding multiple roles in their careers. Offensive security experience is becoming more prevalent as it provides different insights and perspectives into potential attack vectors and defense strategies. Educational backgrounds also vary, with 82% of CISOs holding degrees in cybersecurity and 47% having over a decade of industry experience.
“The increasing responsibilities and evolving challenges faced by CISOs are leading to new challenges and require a multi-faceted approach. As security becomes a critical competitive advantage, CISOs must navigate complex threat landscapes, leverage AI, and foster a culture of security within their organizations. Aspiring CISOs should focus on gaining diverse experience and developing strong communication skills to succeed in this dynamic and essential role.”
Piyush Pandey, CEO at Pathlock:
“In addition to putting up with a C-Suite disconnect because not all leadership teams grasp the gravity of cybersecurity risks, CISOs now have to contend with personal liability and reputational repercussions due to requirements for more transparent disclosure about data breaches and cyber events. Combining these issues with pressure from day-to-day security operations without a commensurate compensation uplift would be a significant disincentive.
“The future outlook for CISOs is heavily dependent on how organizations respond to the evolving industry challenges. If businesses prioritize security and compliance, integrate CISOs into top-level strategic planning, and provide them with adequate resources, the outlook for CISOs could significantly improve. However, if challenges like escalating threats, budget constraints and regulatory pressures aren’t met with prioritized resources, the role may become increasingly difficult, potentially leading to greater dissatisfaction.
“Boardrooms and C-Suite Executives need regular threat briefings that are collaborative rather than judgmental to bridge the knowledge gap and foster empathy for the challenges a CISO has to face. Most other roles in the C-Suite aren’t facing “bet the business” decisions on a daily basis. Organizations need to celebrate their security successes as well. There’s no shortage of phishing attacks, network intrusions and business controls violations that are caught before they have a material impact on the business. These need to be shared across the organization to heighten awareness, increase vigilance and promote cross-functional teamwork on cybersecurity.”