BlueFort Security has published the results of its 2022 CISO survey, which revealed that while CISOs are still experiencing challenges around visibility, intelligence and control, nearly half (47%) are proactively focused on digital transformation and cloud migration.
BlueFort Security surveyed 600 CISOs from a variety of UK organisations and found most have moved beyond the challenges of widespread shift to remote working - which resulted in severely limited visibility, intelligence and control - and are now focused on digital transformation and migration to the cloud, despite a chaotic world and bleak economic environment.
The majority of CISOs (88%) say cybersecurity has become more of a priority for their Board over the last 12 months. And while 37% of CISOs still have their cybersecurity budget defined as a subset of their organisation’s general IT budget, more than half (58%) of CISOs expect world events to cause an increase in their cybersecurity budget over the next budget cycle.
Focus on cloud transformation
CISOs are looking to the future. When asked about the areas their departments are prioritising their time and budget, CISOs said they are accelerating digital transformation (47%) and ensuring cybersecurity protection is fit for purpose for the future (46%).
Enabling cloud transformation is now a key focus area for UK security leadership. With more than half (57%) of organisations using multiple clouds and 37% using a single cloud environment, CISOs now have a clear focus - secure the cloud and secure the (primarily cloud-based) applications. However, while progress has been made in securing these environments, just half (52%) of CISOs are confident they are able to fully enforce a consistent security policy across all applications in the cloud. A significant proportion (42%) can only partially enforce cloud application security policies, while 5% are unable to at all.
This challenge is likely to remain front and centre for CISOs over the next 12 months as their organisations continue along their digital transformation journeys, with more than half (52%) stating they will be moving applications to the public cloud, migrating apps from one cloud to another and replacing legacy systems with SaaS applications. And, while 62% of CISOs say their organisation is using a cloud security posture management tool, more than half (52%) are manually standardising and enforcing security policies in their public cloud environments for each application.
Additional highlights from the BlueFort 2022 CISO survey include:
Improving, but still poor, visibility: UK CISOs still lack visibility, intelligence and control over much of their organisation’s estate, but relative to 12 months ago, the situation is improving. However, more than half (57%) of those surveyed admitted that they do not know where some or all their data is, or how it’s protected. CISOs were most likely to cite an increase in unbacked up data as a top security challenge over the last 12 months, with an increase in dormant email accounts also presenting challenges. A third (36%) lack visibility of movers, joiners and leavers - an increase on last year - which highlights the ongoing complexities of managing a hybrid workforce.
The talent gap remains: The human element remains a key challenge for CISOs, and this is a double edged sword. Employees continue to be the ‘weak link’ in effective security strategies, particularly when it comes to keeping track of people, their devices and their data. Almost half (45%) leave their computer logged in without being on it and use their work computer for personal use, while nearly the same amount (43%) delete suspicious emails without flagging them to IT and connect to public WiFi sources. Meanwhile, the vast majority (84%) of CISOs are actively recruiting to fill a skills shortage, while 87% of CISOs are looking to outsource to help fill this gap. Most (85%) CISOs struggle to retain cybersecurity staff and 84% have just enough resources to cope with the basics of cyber security.
Consolidation of tools is critical: While adding more technology during the overnight shift to remote working temporarily solved some of the issues, it has likely diluted team attention spans and has led to more longer-term problems. When asked about barriers inhibiting adequate defence against cyber threat, most (37%) CISOs cited a lack of collaboration between separate departments and low security awareness among employees (35%).
Reliance on 3rd parties has increased: These challenges are compounded by the lack of available talent and limited expertise within existing security teams. This skills gap remains a key challenge and is reflected in the move to outsource and rely on external skills support, with trusted partners most likely to be relied on (42%) to navigate the complex cybersecurity solutions market. This support is even more important during a security incident, with 41% of CISOs whose organisation had suffered a breach relying on an external incident response firm and almost half (44%) using third parties to deal with stolen data following a breach.
“This year’s BlueFort CISO survey has a positive message - CISOs know the direction they need to go, even if they don’t know exactly which steps they will need to take to get there. The reality is CISOs are under huge pressure to deliver visibility, intelligence and control for their organisations while navigating the Wild West of the cyber landscape. CISOs are faced with finding order in chaos - all while the sector-wide talent shortage means security teams are doing more with less,” said Dave Henderson, CEO Sales and Marketing at BlueFort Security.
“Visibility is still one of the most pressing issues facing CISOs and a key element of this is assessing their estate, establishing which cybersecurity solutions they have and consolidating technology. The net result is that many CISOs are undertaking a significant declutter getting rid of no-longer used, oftentimes duplicate tools. Put simply, they are learning what they can live without,” continued Henderson.
“The industry is in a strong position moving into 2023. While CISOs recognise the ongoing skills shortage and the ever changing threat landscape, they now have a clearer idea of where they are, what challenges they are facing, and which gaps they need to fill. There are certainly challenges ahead, but this survey demonstrates CISOs remain laser focused on consolidation and collaboration. As they continue to reconcile their tools - removing those that deliver minimal value and prioritising best-in-breed solutions - CISOs will be well-placed to protect their organisations over the next 12 months,” concluded Henderson.