7 key findings from Cisco’s CISO benchmark study

Propelling digital transformation while safeguarding the enterprise is mammoth task. Indeed, initiatives like opening up IT infrastructure, converging IT and OT networks, and allowing partners and customers to closely interact with the organization to embrace new business models and collaboration (think cloud applications, APIs, sensors, mobile devices, etc.) bring new risks as well as opportunities.

For its 2020 CISO Benchmark Report, Cisco surveyed 2,800 IT decision makers from 13 countries to better understand the challenges security teams face. Here are some of the key findings that stood out to me.

Metrics that matter

Nine out of ten respondents felt their company executives had solid measures for gauging the effectiveness of their security programs, although this figure too is down by six percent from last year. Clear metrics are key to a security framework, and it’s often difficult to get diverse executives and security leaders to agree on how to measure operational improvement and security results. One thing survey respondants could agree on however, is that time-to-detect is the most important key performance indicator (KPI).

Wanted: greater stewardship

The share of companies that have clarified the security roles and responsibilities on the executive team has risen and fallen in recent years, but it settled at 89 percent in 2020. Given that cybersecurity is being taken more seriously and there is a major need for security leaders at top levels, continuing to clarifying roles and responsibilities is critical.

Assessing risk

The frequency with which companies are building cyber-risk assessments into their overall risk assessment strategies has shrunk by five percent from last year. Still, 91 percent of the survey respondents reported that they’re doing it.

Cloud protection an uphill battle

It’s almost impossible for a company to go digital without turning to the cloud. The Cisco report found that in 2020, over 83 percent of organizations will be managing (internally or externally) more than 20 percent of their IT infrastructure in the cloud. But protecting off-premises assets remains a challenge.  Just over half (52 percent) of the respondents say that data stored in the public cloud is very or extremely challenging to secure.

Automating security a must

The total number of daily security alerts that organizations are faced with is constantly growing. Three years ago, half of organizations had 5,000 or fewer alerts per day; today, that number is only 36 percent. The number of companies that receive 100,000 or more alerts per day has risen to 17 percent this year, from 11 percent in 2017. Due to the greater alert volumes and the considerable resources needed to process them, investigation of alerts is at a four-year low: just under 48 percent of companies say they can keep up, down from 56 percent in 2017. The rate of legitimate incidents (26 percent) has remained more or less constant, which suggests that a lot of investigations are coming up with false positives.

Perhaps with biggest side-effect of this never-ending alert activity is cyber-security fatigue. Of the companies that report that it exists among their ranks, 93 percent of them receive more than 5,000 security warnings every day.

A sizable majority (77 percent) of Cisco’s survey respondents expect to implement more automated security solutions to simplify and accelerate their threat response times. No surprise here. These days, they basically have no choice.

Brand reputation at risk

Organizations that had 100,000 or more records affected by their worst security incident increased to 19 percent this year, up four percent from 2019. And 33% of survey respondents said that brand reputation had taken a hit from a security incident, compared to 26% of respondents three years ago.  This why, to help minimize damages and recover fast, it’s key to incorporate crisis communications planning into the company’s broader incidence response strategy.

On the bright side

The share of survey respondents reporting that they voluntarily disclosed a breach last year (61 percent) is the highest in four years. The upshot is that, overall, companies are actively reporting breaches. This may be due to new privacy legislation (GDPR and otherwise), or because they want to maintain the trust and confidence of their customers. In all likelihood, it’s both.