beebright -

CISOs invisible to their organisations, says BT report

Ignorance of cyber issues is leading to misplaced confidence in security in many organisations, as CISOs struggle to make themselves seen and heard

A lack of understanding of security issues in the workplace and misplaced confidence in organisational cyber security readiness are adding to pressure on CISOs during challenging times, according to a new report produced by BT Security alongside market research firm Davies Hickman Partners.

The global study of more than 7,000 business leaders, employees and consumers found that 76% of executives rated their organisation’s IT strategy as either excellent or good at protecting against cyber threats, but 84% said their organisation had suffered from data loss or a cyber security incident in the past two years, highlighting what seems a clear misunderstanding of security.

Also, less than half were able to put a name to their CISO and a similar number said their security leaders never actively communicated with them.

“This report provides a number of clear examples of how CISOs are expected to provide leadership across an ever-growing number of areas,” said BT Security managing director Kevin Brown. “The huge increase in the pace of digital transformation during 2020 has not only further erased the traditional parameters of the role, but also intensified the scale and complexity of threats to protect against.

“As a result, CISOs must ensure they have the visibility that not only makes them the first port of call for security incidents, but also ensures they are placed at the heart of strategic decision-making and planning.”

A number of other key data points from the report shed more light on this apparent “invisible CISO” phenomenon, as two-thirds of respondents said they were not fully aware of their organisation’s security policies and procedures, and more than half said had not received training on security.

As a result, 45% of employees said they had suffered a security incident but had not bothered to report it, and 15% said they had shared their work logins or passwords with other people in the organisation.

Outside the workplace, attitudes were notably different, however, with nearly two-thirds of consumer respondents saying they would recommend an organisation that went above and beyond when it came to keeping their personal data safe, and a similar number rated security above convenience when choosing who to buy from.

Read more about security management

  • For 2021, Vishal Salvi argues that CISOs should tie cyber security to business agendas better, invest in cloud security, implement IT hygiene, modernise security architecture and more. 
  • Identity practice and management has become a critical element of cyber security strategies to support remote workers.
  • Data crunched by Gartner analysts reveals the behaviours that differentiate the top-performing chief information security officers from the pack.

The survey also found that only 16% of consumers “strongly” trusted large organisations to protect their data, suggesting that even if people are not particularly bothered about security when at work, when at home it suddenly becomes a brand differentiator – further highlighting the need for better education.

BT Security said that in the light of this, the role of the CISO in 2021 is more critical and more multifaceted than it has ever been. The job is no longer just about managing threat and risk through technology – security pros must also function as employee engagement and brand management experts.

Craig Jones, director of cyber crime at Interpol, said: “The range and scale of cyber crime faced by governments, businesses and individuals is constantly growing. We firmly believe in working collaboratively across the public and private sector to make cyber space a safer place, and this very much includes CISOs, who are often the first line of defence in responding to cyber attacks.

“This research from BT shows clearly the increasing responsibilities and expectations placed on the CISO today, and a number of clear steps they can take to improve their protections and our collective resilience.”

The full report can be downloaded from BT’s website.

Read more on Security policy and user awareness

Data Center
Data Management