Each year, ESG conducts a research project with the Information Systems Security Association ( ISSA ) on the mindset of cybersecurity professionals (The 2017 report is available here ). As part of last year’s research, we asked respondents to identify the top actions their organizations should take in the future to improve cybersecurity. We then looked at this data based upon respondents’ roles, so we could look at the specific recommendations from CISOs (or other titles with equivalent job descriptions).
Based upon this analysis:
49% say their organizations should add cybersecurity goals and metrics for business managers in the future. Hmm, I concur but submit that CISOs should also have business goals. For example, CISOs should be measured on aligning security actions with business projects like digital transformation not just on incident detection/response or meeting the deployment schedule for a new MFA initiative. 41% say their organizations should document and formalize cybersecurity processes. So, the take-away here is that too many organizations have inefficient, undocumented, and informal cybersecurity processes. Nothing could be more important to security throughput or employee morale than fixing this. 40% say their organizations should provide more cybersecurity training to IT personnel. The aspirational model for many CISOs is to embed security expertise within the IT domains. More training is a step in that direction. 40% say their organizations should include more security oversight and testing in application development processes. Good advice as a lot of code is all about adding features and written quickly. This leads to buggy software and high costs. Alternatively, more oversight and testing means better security and lower costs. DevOps with security will help here. 40% say their organizations should increase the level of CISO participation with executive management and corporate boards. Despite the rhetoric that security has become a ‘boardroom issue,’ many CISOs feel like they are treated as a necessary evil. Obviously, CISOs feel like they have more to offer than audit results, compliance reports, and basic information about the latest data breach. 40% say their organizations should increase their cybersecurity budgets. It doesn’t matter what you do or how much you spend, more is always better than less.CISOs clearly believe that cybersecurity is a ‘team sport,’ where business and IT personnel could contribute more to the overall effort. Additionally, security needs to become less about tribal knowledge and superstars, and more about repeatable and measurable processes. Seems like sage advice to me.