Three CISO Problems Solved: Demonstrating Your Security Programs Value to Leadership
Solving three defense readiness questions every security leader should be able to answer.Read
Let’s acknowledge the elephant in the room: cybersecurity is still not a main priority for most organizations. It’s not that companies don’t care, many times investing in cybersecurity can seem out of reach, overwhelming, or an “IT problem”, but in today’s current landscape these excuses are no longer an option.
A recent survey of 150 CISO’s by BSS revealed less than a quarter (22%) of CISO’s are actively participating in business strategy and the decision-making processes. Even more staggering, only 1 in 10 (9%) of CISO’s said information security is always in the top three priorities on the boardroom’s meeting agenda.
Cybercrime is a TRILLION-dollar issue, $8 trillion to be exact and that number is expected to grow to $10.5 trillion by 2025 according to cybersecurity ventures. To give you some perspective of how much money that is, combine the worth of Apple, Microsoft, and Amazon… and then double it.
We understand cybersecurity can seem like a huge undertaking and there aren’t any tangible results. It’s a lot like investing in car insurance. You don’t need it until you’re in an accident. That’s how many companies approach cybersecurity, they don’t invest until there’s been a breach but by then the damage is done.
Now, it’s not all doom and gloom. The survey did reveal that investment in cybersecurity is slightly moving in the right direction. 61% of the CISO’s surveyed noted they received a significant increase in funding, averaging between 10-30% more. However, over half of respondents said “they we’re expected to spend their budget on cyber security issues hitting the news headlines, rather than where it’s really needed. “
However, the survey highlighted 78% of the CISO group said high-profile security incidents we’re the reason behind receiving more budget.
I’m not a big fan of scare tactics. I believe it’s important to understand the problem (which can have hints of scary) and then offer solutions.
That’s one of the reasons we saw a use case for BlindSPOT, OnDefend’s proprietary breach & attack simulation tool. It changes the mindset of a company that is historically reactive to cybersecurity incidents and makes them proactive. BlindSPOT consistently tests and tunes an organizations security control throughout the year. That way if an attacker we’re to strike, you would know your companies ready. It’s a lot like prepping for a hurricane. You can’t stop mother nature from striking but you can be prepared with flashlights, water, and rain boots for when it happens.
So, where am I going with all of this? The need to give cybersecurity a seat at the table. Once leadership changes their mind from not if we’re attacked but when, then we can all start doing the real job of protecting against the bad guys. In the end, we’re all after the same goal, right?