According to a recent report, the most common worry when taking on a new CISO role is getting an erroneous audit of the organization’s security posture.
The 2024 Security Leaders Peer Report from Panaseer, a leader in security posture management using Continuous Controls Monitoring, is now available. The study, which is currently in its fourth year, sheds light on the dilemma that many CISOs encounter when attempting to determine the value and purpose of security control data in relation to important business decisions.
According to a poll conducted among senior cybersecurity decision makers in organizations with 1,000 or more employees, the largest worry for a new chief information security officer (CISO) is getting a faulty audit of the organization’s security posture (54%). This is a tacit admission that incomplete security data might conceal vulnerabilities and lead to inefficient use of security resources.
Respondents were more concerned about data quality than they were about being blamed for a breach (44%), and about not having enough money for security (44%).
The top issues mentioned by respondents when beginning a new CISO post also emphasized the same desire to obtain total insight into security controls data:
obtaining a genuine image of the security posture of the organization’s vulnerabilities (49%).
Recognizing the terrain of threats (45%)
obtaining reliable data to facilitate strategic decision-making (43%)
Making informed judgments and reducing cyber risk require first knowing where security procedures are falling short. Regretfully, just 36% of security leaders utilize their security data for all strategic decision-making and have complete faith in it. This is a worrying discovery because, in the absence of reliable evidence, CISOs may find it difficult to persuade top corporate stakeholders and guarantee that the appropriate parties are held responsible for resolving security breaches.
Credibility is among the most significant things in the world. The hardest thing to get back from people is lost credibility, according to Shawn Bowen, SVP and CISO of World Fuel Services.
Thus, the identical issue arises when your data is untrustworthy. If you don’t know where your data is wrong, you can’t expect someone else to believe you in the future. Therefore, you should be transparent about these inconsistencies.
Reality and perception
The study discovered a troubling discrepancy between respondents’ perceptions and actual security safeguards. 88% of respondents stated they trust their security data is correct, and nearly all (95%) stated they are highly or moderately confident that security procedures are operating efficiently all the time.
Because of this, more than half (54%) of security executives expressed great confidence in their capacity to use security data to rank tasks in order of greatest potential impact on risk reduction. Almost everyone (96%) has some degree of confidence.
The fact that 79% of responding firms acknowledged being taken aback by a security incident that got past their controls, however, suggests that the information provided about the state of controls is either unreliable or not correctly interpreted to strengthen security posture.
Additionally, there is evidence to imply that controls data is not commonly seen as a strategic asset for risk mitigation and cyber defense.
More than one-third of those surveyed (38%) claimed they could not provide proof of control failure remedy. Comparably few people (37%) consider control failures to be of low priority; in financial services firms, this percentage rises to 43%.
regaining confidence in the data
Enhancing the accuracy of cybersecurity data is a top objective for the vast majority of security leaders (90%) in the upcoming year. In addition, 76% of respondents who were asked to think about the impact of AI expressed concern about threat actors utilizing it to uncover weaknesses in their organizations’ security measures.
There should be some urgency in finding a more automated way to collect, format, and display this data, as they spend, on average, half (46%) of their time doing so by hand.
The confidence that CISOs and other stakeholders require in this data can be provided with the aid of Continuous Controls Monitoring (CCM). Enhancing data quality and trust has evident advantages; according to 84% of security executives, boosting data trust would enable them to obtain additional resources for safeguarding their company.
But first, security officials and the board must adopt a new perspective that embraces the use of controls data to proactively drive business choices and avert issues before they arise, as opposed to using it for reporting purposes.
According to Marie Wilcox, a Panaseer Security Evangelist, “the industry needs to change if we are to solve the CISO security controls conundrum, and Continuous Controls Monitoring (CCM) can be the catalyst.”
“It’s a method of knowing what to do next – making day-to-day cybersecurity firefighting easier and getting ahead of the game on strategic risk,” the speaker claims, rather than an improved reporting tool.
Many executives today are unaware that security controls data can assist them in achieving this. It’s realizing the need of a unified viewpoint and a single source of truth as opposed to several fragmented viewpoints.
In this sense, respondents indicated that CISOs might handle their three main goals in a new role in addition to the difficulties and worries mentioned above with the aid of access to trusted controls data:
Recognizing one’s security stance (39%)
Recognize the procedures for gathering and analyzing data (38%)
Security tool auditing (37%).