Chief information security officers (CISOs) within organisations feel “unsupported, unheard, and invisible” according to a new report.
‘The Mind of the CISO’ research from Trellix was revealed onstage at the 2023 RSA Conference in San Francisco.
“I’ve been a CISO, it can be the loneliest position in tech.” said Trellix CEO, Bryan Palma. “Now is the time, with AI in the hands of both good and bad actors, to revolutionise SecOps strategies and fight back against criminals. We need to empower our CISOs to win every time.”
The research revealed that a huge number (96 percent) of CISOs don’t receive enough support from the executive board for the resources needed to maintain cybersecurity strength. Nearly half (46 percent) think their jobs would be easier if all employees across the entire business were better aware of the challenges of cybersecurity. In addition, almost a third (30 percent) of CISOs cite a lack of skilled talent on their team as one of the primary challenges.
The pressure is on CISOs. Eighty-six percent have managed a major cybersecurity incident once and four in 10 (42 percent) more than once. 80 percent of respondents feel fully or mostly accountable for the incidents and 42 percent experienced major attrition from the Security Operations team as a direct result.
“It’s quite stressful because it is something where we say you have to be right all of the time. The bad guys only have to be right once,” said a CISO of a US-based healthcare organisation.
‘Too many of the wrong solutions’
The report also notes that firms are using too many of the wrong solutions. With organisations reporting using an average of 25 individual security solutions, 38 percent say a top hurdle is having too many pieces of technology without a sole source of truth. CISOs can find the number of security solutions available to them “overwhelming, unnecessary, and challenging.”
Ninety-four percent agree having the right tools in place would save them considerable time. Thirty-eight percent want access to a single integrated enterprise tool to optimise security investments.
“We get tool exhaustion at some places where money is just thrown at tools and they’re only using a quarter of it,” said a CISO in the US public sector. “So having a unified security tool, that’s been built and understood by security people and CISOs and analysts and engineers, that understand their day-to-day work and activities when it comes to certain things, is I think, something that’s missing.”
