Do CISOs mean better security?

Do more CISOs mean a greater focus on security concerns?

shaane syed / 06.14.17

In early 2016 the percentage of enterprise organizations with Chief Information Security Officers (CISOs) in their C-Suites stood at 50%. In early 2017 that number has already leapt to 65%, representing a 30% increase in just a single year. This seems to indicate organizations are truly beginning to understand the need to put cybersecurity at the forefront of their business.

However, “seems to” indicate and “actually” indicates are two entirely different things. Is this encouraging increase in the number of CISOs correlated to a sharpened focus on cybersecurity? Or is it partially just a move to let customers and shareholders know that “we here at Your Favorite Multinational Inc. take security very seriously.” Just because a company has a CISO doesn’t necessarily mean they’re always listening to that CISO or giving them the budget they need to accomplish their goals. Resources are at a premium in any organization and we all know that security doesn’t always receive the level of monetary attention it deserves.

According to ISACA’s State of Cybersecurity 2017 report, only 50% of organizations are increasing their cybersecurity budgets in 2017, even though 53% of respondents to ISACA’s survey saw an increase in attacks in 2016 and 80% consider it likely they’ll see an increase in 2017. An ounce of prevention may beat a pound of cure, but try telling that to accounting.

It’s not just that the number of attacks are increasing, but also that the types of attacks are changing. It wasn’t that long ago that unsecured laptops and phones left behind at bars (and other locations) represented a huge security risk. Organizations adapted though and properly secured employee devices so the natural human tendency to occasionally forget things was no longer an outsized threat. That’s great, but we now live in a time when even refrigerators and toasters present potential (and serious) attack vectors. Organizations must continue to secure old attack vectors while adapting to ransomware, the IoT, and whatever currently unnamed attacks begin popping up tomorrow.

Cybercriminals have always changed their method of attack to hit whatever points seem weakest, of course, so this is nothing new. But fewer resources allocated to security means fewer hires and less training for those hires. This is significant as, according to the report, not even 60% of organizations see more than five applicants for open security positions and only 20% would consider even half of their applicants qualified. Without skilled employees to counter threats, organizations are left one step behind the attackers and playing catch-up.

To make up for the lack of qualified security personnel (and the budgets they’d require), most organizations rely on third-party software and hardware vendors to provide at least some of their security. As one of those third party software vendors we certainly don’t disagree that this works well, but adequate security requires a number of different approaches to get right and even the best software needs talented employees to implement it and ensure it’s being used properly by their organization.

A CISO can only go as far as their staff and tools will take them. Though it’s certainly a good sign that so many more organizations have elevated their security to the C-Suite, increased budgets and training are necessary for this to truly have an impact. Only time will tell if these newly minted CISOs are able to use their greater positions of authority to make this happen.