The 10th annual Information Security Maturity Report, published by ClubCISO and Telstra Purple, reveals that despite a perceived dip in the quality of overall security posture, the vast majority of Chief Information Security Officers (CISOs) have observed positive security culture gains in their organizations over the past year. The report surveyed 182 members of ClubCISO, a global community of information security leaders in both public and private sector companies.
The findings of the report paint an optimistic picture of organizational security. CISOs reported a decrease in reported material breaches compared to the previous year. In addition, 60% of respondents stated that leadership endorsement had a significant influence in improving organizational security culture.
The report also highlighted some factors that are holding CISOs and their security teams back. These include a lack of resources, slowing security budgets, competing priorities, and insufficient staffing. Despite the positive findings, CISOs still feel that inadequate staffing is affecting their ability to meet objectives, although there has been a slight improvement from the previous year.
According to the report, security culture is moving in the right direction in most businesses to some degree. Around 80% of respondents stated that their security culture is making good progress, compared to 57% in the previous year. The report identifies several key drivers for improving security culture, including proactive “report it” no-blame policies, simulated phishing, tailored training, and stronger alignment between security and senior leadership teams.
However, the report also highlights the challenges faced by CISOs in maintaining security culture. The top three factors negatively impacting security culture over the past year were identified as too many competing priorities, security teams being overstretched, and a lack of resources to promote security awareness, behavior, and culture.
Interestingly, the number of leaders who believe their security culture is an exemplar of best practice has dropped compared to the previous year. This decline may be attributed to a deeper understanding of what it means to be an exemplar of best practice and the time required to change and improve culture, according to report contributor Dr. Jessica Barker.
Despite the perceived dip in overall security posture, this year’s report reveals that breach rates have fallen. The majority of respondents reported no material breaches or incidents in the past 12 months. However, CISOs rated their organization’s overall security posture lower than in the previous year. This suggests that while organizations have been successful in avoiding breaches, there is room for improvement in their overall security posture.
The report also sheds light on the lack of security resources and the slowing down of security budgets. While the data suggests that security budgets have increased, the increase is not as significant as in previous years. Respondents cited the evolution of the cyber threat landscape, keeping up with peers, and investing in recruitment and training as key factors contributing to increased spending. On the other hand, limitations on budgets were attributed to economic downturn, profit and loss pressure, and geopolitical unrest. The most common solutions on CISOs’ agendas include security information and event management, vulnerability management, and identity and access management.
Cyber insurance is another topic covered in the report. The findings reveal a division of opinion among respondents regarding its benefits. While most respondents have cyber insurance, 15% of CISOs don’t want it or believe in its benefits. Of those with cyber insurance, 18% have attempted to make a claim. Satisfaction with the outcome and renewal price varies among respondents, with some being satisfied with the outcome but not the renewal price and others being dissatisfied overall. This change in sentiment compared to the previous year reflects the increasingly complex, expensive, and diversified nature of cyber insurance policies. Half of the respondents agree that cyber insurance is exacerbating the issue of ransomware to some extent.
Despite the division of opinion, most respondents believe that cyber insurance has a role to play in protecting organizations. However, they stress the need for better clarity on the outcomes from policies and emphasize the importance of complementing in-house capabilities with specialist advice and support from credible suppliers.
In conclusion, the 10th annual Information Security Maturity Report provides both positive and concerning insights into organizational security. While there have been gains in security culture and a decrease in reported breaches, challenges such as limited resources, slowing budgets, and competing priorities continue to hinder progress. The report highlights the need for stronger alignment between security and senior leadership teams, as well as the importance of addressing staffing and resource issues. Furthermore, the report underscores the evolving nature of cyber threats and the need for organizations to adapt and invest in the right security solutions.