The ClubCISO 2021 Information Security Maturity Report

We all have heard and read how the pandemic has disrupted our lives, how it has accelerated digital transformation to an unprecedented extent and how it challenged the existing security policies and practices. The question is how the people responsible for fortifying their organizations experienced the whole situation.

Letter from the frontline

The ClubCISO community has surveyed its members to understand how CISOs and organizations in general reacted to this crisis. If there is a lesson to be learnt, this is that organizations need to always be prepared and resilient. Crises come and go, new risks will always emerge, but the goal of every organization should be to continue operations even under the harshest conditions.

The ClubCISO 2021 Information Security Maturity Report is like a letter from the frontline. There was never a time before that CISOs were more important to an organization than the past year. “This past year has told us that CISOs and the wider security function are making a tremendously important impact. They just need to maintain momentum, while ensuring their jobs are still enjoyable and their people are still motivated,” notes Tom Berry, ClubCISO Advisory Board Member in the report’s executive summary.

That increased importance of the CISO function is demonstrated in the survey findings – only 14% of organizations still fail to view infosec as important as CISOs do. It was the CISO who managed to prepare and protect their organization to cope with the demands of the pandemic: 88% of the participants admit that their existing capabilities coped with COVID19, while 66% believe that their organization’s security posture improved or remain unchanged during the pandemic.

To achieve this level of resilience, culture plays an important role. This is indicated by the survey findings: 61% of the respondents reported that the existing organizational culture improved or exemplified security best practices. Building and maintaining a culture of cybersecurity hygiene is important for an organization to be able to evolve its security practices to cope with emerging risks and threats. Hence, it is no wonder that security culture is a hot topic for 56% of the organizations.

Another important factor that helped CISOs succeed in their role is business knowledge. In fact, the report findings indicate that business knowledge is three times more important than technology knowledge for good CISOs. This type of knowledge is required to align security policies with business goals and objectives for security to be an enabler of innovation and not a barrier.

However, not everything is rosy. Being a CISO requires strong guts. Being able to address and successfully protect your organization against sophisticated attacks is a stressful experience. CISOs recognize that and 36% of them admit that the stress their security teams are under affects their performance. The same level of stress is felt by the CISOs, and 10% are leaving their role because of the effect on mental health.

The experts’ opinion matters

Instead of driving you crazy with more numbers and statistics, I thought of asking ClubCISO members to share their opinion on some of the topics discussed in the report. Here’s what they told me.

How is corporate security evolving to meet the demands of accelerated digital transformation in response to the pandemic?

Manoj Bhatt, Head of Cyber Security Consulting and Advisory at Telstra Purple, and ClubCISO Advisory Board member:

“We are generally finding, there are 3 types of organisations. Those that were prepared and ready for the working from home. Those that had a plan and those that hadn’t even considered it. These differ from sector to sector and some have found the seismic shift easier than others. For those that were already prepared for working from home, corporate security has very much stayed the same. For those that have had to accelerate their plans or create new ways of working the corporate security teams have had to accept an element of risk and adapt to these new business models. For those corporate security teams where they have not been able to adapt and support the business they have not been involved in supporting the business transformation. It is recognised that not all security controls might have been embedded and that these will need to be addressed over the coming year, but we should recognise the reality. This year has been about business survival, this does not always fit a neat security framework. 

Regardless of the type of organisation we have seen a growing level of importance being placed on cyber security by organisations and their boards. Everyone is starting to understand the importance of cyber security and over the coming year we will see an adjustment period however the real question being asked is “How do we implement better security?”. This journey will differ for different organisations but it’s now more important than ever to align the corporate security strategy to the business.”

Has the role of CISO evolved during the past 12 months? If so, to which direction?

Stephen Khan, ClubCISO Chair

“The CISO role evolved in three key areas:

1. The importance of the CISO role to an organisation has come to the forefront as the workforce into their homes from offices. Leaders within the business looked to the CISO to secure their data and operational business processes for remote working.

2. This focus increased the visibility of the CISO to the wider organisation, was welcome, however, there was increased demand on CISOs, and their teams to provide secure capabilities going forward.

3. Despite this additional attention and demand, 2/3 of CISO’s and their teams maintained existing security risk posture and also made overall improvements.

In summary, the CISO role has increased its level of importance, and is seen as a key business enabler by business leaders across the organisations.”

Do you believe there is a gap between security and business?

Dr Jessica Barker, co-CEO at Cygenta and ClubCISO Advisory Board member

“Findings from the latest ClubCISO survey, our largest and most international survey to date, reflect real progress in the perception of security as a value-adding business function. The vast majority of the senior security leaders who completed our survey believe that their organisation sees security as being as important as they do, which has increased over the last year. Most reported that their security operations held up well with the impact of COVID-19: the last year or so has really highlighted the importance of resilience, with a forced digital transformation for many organisations and an associated widening of the threat landscape. This has helped bridge the gap between security and the rest of the business, as has an increasing recognition within security that we need to learn more about business culture and align security with the business (rather than simply expecting the business to align with security). This is reflected in organisations’ approaches to security awareness, behaviour and culture, too. The majority of CISOs report a positive security culture and have found that empowering people is a really important part of this, with initiatives such as awareness-raising aimed at people’s home lives, tailored training, champions programmes and bitesize content reported as most effective.”

Conclusion

The ClubCISO report is an essential read for everyone that manages or is responsible for information security within their organizations, and for those involved in managing risk. Business leaders should also read the report findings to get a better understanding of the challenges their CISOs or security teams face.

I would like to thank from the bottom of my heart Jessica Barker, Stephen Khan, and Manoj Bhatt for their time and valuable insights.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.