Syda Productions - stock.adobe.c

CISOs under-supported, under pressure, Trellix finds

The vast majority of CISOs say they are finding it difficult to get sign-off on the resources they need to do their job

Chief information security officers (CISOs) are still failing to get the support they want and need from their boardrooms, with 96% struggling to get leadership to sign-off on resources to appropriately safeguard their organisations, while coming under significant pressure from the exact same people when something goes wrong, according to Trellix’s Mind of the CISO report.

Trellix reached out to 500 CISOs during the compilation of its study, including 50 in the UK, as well as Australia, France, Germany, India, Saudi Arabia, Singapore, the UAE and the US, and additionally conducted in-depth interviews with 25 of them, five in the UK.

It found the biggest challenges that CISOs perceive are an overload of information sources, a fast-changing regulatory and legal landscape, a widening attack surface thanks to remote work and supply chain issues, a shortage of skilled staff, and a lack of buy-in from other parts of the company.

Many respondents said that despite the responsibilities they have to juggle, they often felt somewhat invisible to the rest of the organisation. One UK-based interviewee who works in the financial services sector said: “You are a hero, and held in high esteem, and everything is hunky-dory until it’s not. So when there are no cyber incidents it’s a job that’s well respected. But your head is on the chopping block the moment there’s a problem.”

Trellix EMEA senior vice-president Fabien Rech said: “Faced with an increasingly complex and ever-evolving threat landscape, CISOs are often under-resourced and stretched too thin. This causes significant stress among 40% of SecOps teams across EMEA, with 43% experiencing major attrition as a result. As an industry, we have seen an observable bleed of talent as cyber security professionals are being asked to do more with less.

“These issues are front and centre for CISOs, but surprisingly, the vast majority in EMEA (95%) experience a lack of support at the board level, despite executives recognising the importance of cyber security. While CISOs are responsible for protecting company data – and by extension, profitability and reputation – they can’t be expected to do it alone. Executives need to recognise these pain points and invest in the right resources, from hiring talent to integrating new security technology, if they are to support CISOs and their teams.”

Absolute hell

Trellix’s researchers found that 85% of respondents had experienced a major cyber security incident once, and 42% more than once, with 80% feeling fully or mostly accountable for the incident.

“We carry a lot of risk and potential stress on our shoulders,” another UK-based respondent commented. “If something does go wrong, a lot of fingers get pointed at our role, even when it’s sometimes not our fault.”

The top impacts seen in the wake of a large cyber incident included significant stress on the security team, increased insurance premiums, staff attrition from the security team, network downtime, and the loss of customer or employee data.

Asked about their experience of managing security incidents, one interviewee, working in the US healthcare sector, described it as “absolute hell, as anybody will tell you”.

“It’s the pit in the stomach when you start to hear about it,” they said. “It’s the whole rollercoaster of ‘maybe this is nothing’ and then it’s something.”

Too many cooks

In terms of where organisations are directing their security budgets – which account for about 34% of total IT spend on average – network detection and response received the most cash, followed by cloud, endpoint security, extended detection and response, and email security. Security operations and analytics were the least spent upon.

However, the report also highlighted another trend whereby investment in too many tools – the average organisation reports using 25 individual security services – causes problems for CISOs, 38% of whom found themselves in a position where they had too many pieces of technology but no single source of truth. The same number said they would appreciate a single integrated enterprise tool to optimise security investments.

Asked what would be the top qualities in an offering that would improve their overall security posture, 44% of CISOs wanted more visibility into what was going on, 42% to be better able to prioritise alerts that matter, 40% to be able to work better to address multivector attacks, 37% to have more prescriptive and insightful tools, and 37% to have more accurate ones.

“We get tool exhaustion at some places where money is just thrown at tools and they’re only using a quarter of it,” said a CISO in the US public sector. “Having a unified security tool, that’s been built and understood by security people, CISOs, analysts and engineers, and understands their day-to-day work and activities when it comes to certain things, is, I think, something that’s missing.”

Read more about security trends

    Read more on Data breach incident management and recovery