The vast majority of CISOs have observed positive security culture gains in their organisations in the last year despite a perceived dip in the quality of overall security posture, according to the 10th annual Information Security Maturity Report published by ClubCISO and Telstra Purple.
The research surveyed 182 members of ClubCISO, a global community of information security leaders working in public and private sector companies.
The paper paints an optimistic picture of organisational security with CISOs reporting a drop in reported material breaches compared to the year before, while 60% state that leadership endorsement has been a major influence in improving organisational security culture.
Despite positive findings though, several factors still hold CISOs and their security teams back including a lack of resources, slowing security budgets, competing priorities, and insufficient staffing, the report found.
What’s impacting security culture in organisations?
Security culture is moving in the right direction in most businesses to at least some degree, according to 80% of respondents, with 62% feeling that their security culture is making “good progress,” compared to 57% in 2022.
Along with leadership endorsement, proactive “report it” no-blame policies (41%), simulated phishing (38%), and tailored training (37%) are key drivers improving security culture, according to the report.
Stronger alignment between security and senior leadership teams is also noted, including both the executive team (67% in 2023 vs 59% in 2022) and the board (54% in 2023 vs 49% in 2022).
However, growing lists of priorities and limited resources are hampering security culture. According to respondents, the top three factors most negatively impacting security culture over the last 12 months are too many competing priorities (61%), security teams being overstretched (44%), and a lack of resources to promote security awareness, behavior, and culture (26%).
What’s more, CISOs still feel that insufficient staffing is affecting their ability to deliver against objectives, although this dropped slightly from last year (50% in 2023 vs 57% in 2022).
Interestingly, the number of leaders who believe their security culture is an exemplar of best practice has dropped compared to 2022.
“Does this mean that excellence in security culture has declined? It seems far more likely that this can be attributed to a deeper understanding of what it means to be an exemplar of best practice and how long it takes to change and improve culture,” wrote report contributor Dr. Jessica Barker, co-CEO and co-founder at Cygenta.
Breach rates fall despite perceived dip in overall security posture
This year’s report paints an optimistic picture of organisational resilience against security threats: 76% and 60% of respondents said that no material breaches and no material cybersecurity incidents had occurred in the past 12 months, respectively, compared to 68% and 54% last year.
That’s despite CISOs rating their organisation’s overall security posture lower than they did last year. In 2022, 46% of those surveyed rated themselves as above average (at least 4/5 stars), while this year only 38% rated themselves the same.
What’s more, more than 13% of respondents are not confident that their organisation will be able to meet key security objectives.
Lack of security resources common, security budgets begin to slow
A lack of resources for security teams is a common theme in this year’s report, and although the data suggests that security budgets have increased, this may be slowing down.
Just over half of respondents said their budgets had increased from last year, but the degree of increase was typically lower when compared to the previous year’s report.
Key factors contributing to increased spending include the evolution of the cyber threat landscape (39%), keeping up with peers (21%), and investing in recruitment and training (18%), while limitations on budgets appear to be a result of economic downturn (34%), profit and loss pressure (30%), and geopolitical unrest (17%).
The most common solutions at the top of CISO’s lists are security information and event management (SIEM, 46%), vulnerability management (43%), and identity and access management (IAM, 43%).
“Cybersecurity can give companies a competitive advantage and is now seen as a revenue generator as citizens and businesses become more and more selective about what the security credentials of a business should be,” wrote report contributor Manoj Bhatt, cybersecurity team lead at Cyberhash UK and CSO 30 UK Awards 2023 judge.
Cyber insurance divisive but becoming inevitable
Cyber insurance is a divisive topic in this year’s report, reflective of a significantly changing cyber insurance landscape in which policies are becoming more complex, expensive, and diversified.
Most respondents (72%) have cyber insurance, while 15% of CISOs don’t want it and don’t believe in its benefits. Of those with cyber insurance, 18% have attempted to make a claim, with further division evident regarding the perceived outcomes of policies: 29% were satisfied with the outcome and the renewal price, 38% were satisfied with the outcome, but not the renewal price, and 33% were dissatisfied with the outcome altogether.
This final group is the one area demonstrating clear change from last year, where not a single respondent said they were unsatisfied with the outcome of their insurance. Finally, half (54%) of respondents agree that cyber insurance is exacerbating the issue of ransomware to some extent, while 14% disagree.
Most respondents believe cyber insurance has a part to play in protecting organisations, but they argue that clarity on the outcomes from policies must be better, wrote report contributor Stephen Khan, chairman of ClubCISO. “Members believe cyber insurance must complement in-house capabilities, with specialist advice, and support from credible suppliers.”