Panaseer has published its 2024 Security Leaders Peer Report. Now in its fourth year, the research provides insights into the conundrum many CISOs are facing surrounding the purpose and value of security controls data in supporting critical business decisions.
The survey of senior cybersecurity decision makers in 1,000+ employee organizations in the UK and US found that the biggest concern when taking on a new CISO role is receiving an inaccurate audit of the company's security posture (54%). This is a tacit acknowledgment that inaccurate security data can hide points of weakness and result in security resources not being utilized efficiently.
The issue of data quality was of greater concern to respondents than the lack of security budget (44%) and being scapegoated for a breach (44%).
The same desire to gain complete visibility into security controls data was also highlighted in the top challenges cited by respondents when starting a new CISO role:
Getting a true picture of weaknesses in organizational security posture (49%).
Understanding the threat landscape (45%)
Getting trusted data to enable strategic decisions (43%)
Understanding where security controls are failing is a critical first step to mitigating cyber risk and making the right decisions. Unfortunately, only 36% of security leaders are totally confident in their security data and use it for all strategic decision making. This is a concerning finding, as without trusted data CISOs might struggle to influence senior business stakeholders and ensure the right people are held accountable for fixing security issues.
“One of the most important things in the world is credibility. If you lose credibility, it’s the hardest thing to earn back from people,” argues Shawn Bowen, SVP and CISO of World Fuel Services. “So when your data lacks credibility, that’s the same problem. You need to know where your data is inaccurate and be up front about it, otherwise if someone else finds the inaccuracies they aren’t going to trust you again.”
Perception and reality
The report found a concerning gulf between respondents’ perception of their security controls and reality. Nearly all (95%) said they are highly or somewhat confident that security controls are working effectively all the time, and 88% declared that they trust their security data is accurate.
As a result, over half (54%) of security leaders said they are very confident in their ability to use security data to prioritize actions to have the greatest impact on risk reduction. Nearly all (96%) are confident to some extent.
However, 79% of responding organizations admitted they have been surprised by a security incident that evaded their controls—indicating that data on the status of controls is either inaccurate, or not being properly interpreted to improve security posture.
There is also evidence to suggest that controls data is not widely viewed as a strategic asset for cyber protection and risk mitigation.
Over one-third of respondents (38%) said they are unable to evidence remediation of control failures. A similar number (37%) classify control failures as a low priority—rising to 43% in financial services companies.
Restoring trust in the data
The vast majority (90%) of security leaders said that improving the accuracy of cybersecurity data is a priority for them in the next 12 months. Additionally, when asked to consider the impact of AI, 76% are concerned about threat actors using AI to find gaps in their organizations’ security controls. Given that they spend on average half (46%) of their time on manually collecting, formatting and presenting this data, finding a more automated way to do it should also be treated with some urgency.
Continuous Controls Monitoring (CCM) can help to deliver the trust in this data that CISOs and other stakeholders need. The benefits of improving data quality and trust are clear, with 84% of security leaders believing that increasing trust in their data would help them secure more resources to protect their organization. But first there needs to be a mindset change in security leaders and the board—away from using controls data for reporting, and instead embracing it to proactively drive business decisions and stop problems before they occur.
“The industry needs to change if we are to solve the CISO security controls conundrum, and Continuous Controls Monitoring (CCM) can be the catalyst. It isn't a better reporting tool, it's a way of knowing what to do next – making day-to-day cybersecurity firefighting easier and getting ahead of the game on strategic risk,” argues Panaseer Security Evangelist, Marie Wilcox.
“At the moment, many leaders don't know that security controls data can help them do this. It's understanding the value of a big picture view, and single source of truth rather than multiple siloed perspectives.”
In this way, access to trusted controls data could not only help CISOs address the challenges and concerns listed above, but also tackle their three top priorities in a new role, as cited by respondents:
Understanding security posture (39%)
Understand processes for data collection and analysis (38%)
Audit of security tooling (37%)