The global COVID-19 pandemic and new geopolitical risks are challenging chief information security officers and causing them to adapt their management to the current climate, according to a report released on Monday.
London-based ClubCISO, a global private members forum for information security leaders, surveyed 100 CISOs for its 2020 Information Security Maturity Report and identified cyber resilience, security culture, and cloud security to be three hot topics, according to a press release.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
The report found that 39% of CISOs had implemented a strategic security-operating model to embed security awareness within the culture, and 43% said they had one in development, the nonprofit group said.
In a statement, Jessica Barker, chair of ClubCISO, said the report, the group’s largest research effort to date, “highlights how a robust and resilient security culture is now more important than ever as businesses combat unknown threats in the wake of the pandemic.”
In the report, CISOs said more employees were falling for phishing messages as malicious attacks by outsiders target remote workers, with 40% of material incidents caused by malicious outsiders and 42% by non-malicious insiders.
ClubCISO said over the next few months security teams would focus on creating a stronger security culture with awareness training and live-fire training exercises. While nearly all CISOs reported they were working to establish a good culture, less than one-half said their organizations had positive security cultures, a similar figure to last year, the group said.
Responses show some friction within companies with more than a third of CISOs saying they don’t think their boards see information security as important a function as they do. Leaders said they struggle to get security alignment with many areas of the business such as HR, legal, IT, and innovation teams, the report found.
CISOs also revealed that the maturity of processes for measuring and managing supply chain risk has grown worse, the report found. To address such issues, most organizations have adopted a “future state” or “target operating model” (TOM) approach to building a more robust security posture, which typically incorporates security frameworks such as ISO27001 or NIST, according to the press release.
What’s more, senior security leaders continue to be pessimistic about their organizations’ overall ability to meet security requirements, according to the report, a trend seen in previous years.
Nearly one-quarter of CISOs said they were frustrated with the overall approach to security while others cited factors such as lack of resources and support, as well as still not seeing eye-to-eye with senior leadership. Despite this, 20% of CISOs rated their overall security posture as “managed” or “optimizing”–an increase from 14% in 2019, the report found.
Manoj Bhatt, a ClubCISO advisory board member and head of cybersecurity advisory and consulting at the tech services company Telstra Purple, which supports ClubCISO, said in a statement: “We are going through challenging times, but CISOs have shown confidence in their inclusive and diverse teams to get the job done. Although there may be divisions within organisations between departments, there has never been a time where corporate alignment with a diverse security team is needed more.”
Bhatt added: “We are seeing a reassuring shift in security investment and awareness, something which is vital for organisations to remain digitally agile. The need for security teams to take their own organisation, customers, and suppliers on a security transformation has never been quite so important.”