A new study that explores how chief information security officers (CISOs) perceive the state of their profession carries some surprising findings. In a stark contrast with past year studies, “experiencing a data breach” now paints CISOs as more experienced and thus more apt to defend the organization from cyber threats.
200 CISOs or senior security personnel with equivalent responsibilities were interviewed in the U.S. and the U.K. (100 in each country) for the survey. Researchers found that senior executives and board members perceive cybersecurity differently today than in past-year studies, including the fact that “experiencing a data breach makes them [CISOs] more attractive to potential employers,” according to 58% of respondents.
“This stands in stark contrast to years past when a data breach was often a fireable offense for CISOs,” Optiv Security researchers noted.
Another notable result was that cybersecurity risk has become important enough to businesses that CISOs will begin to be named as CEOs, as indicated by 76% of those surveyed. 96% agreed that senior executives have a better understanding of cybersecurity than they did five years ago, but are still not following best practices with cybersecurity. For example, around half of CISOs in both territories indicated that they practice their incident response plans at a frequency of once a year or less.
“Industry best practices call for frequent incident response tests and practice, so teams are ready for the real thing when it happens,” researchers cautioned.
Furthermore, when asked what they would fix first if they could pause the business for six months, few CISOs prioritized patching and vulnerability assessment, despite these two being the most common sources of data breaches (57% of all breaches).
CISOs were also in broad agreement (88%) that having in place a global treaty on cybersecurity (like the Geneva Convention) would be “worthwhile.”