CISOs are now C-suite in nearly half of polled firms

The C-suite and board of directors are increasingly relying on CISOs for guidance across a sophisticated threat landscape and changing market conditions, according to Splunk which released its 2023 CISO Report.

“These relationships provide CISOs the opportunity to become champions who strengthen an organisation’s security culture and lead teams to become more cross-collaborative and resilient,” said Jason Lee, CISO, Splunk. 

“By communicating key security metrics, CISOs can also guide boards on adopting emerging technologies, such as generative AI, to help improve cyber defence management and prepare for the future,” said Lee.

The research was conducted through separate quantitative and qualitative surveys from May 2023 through June 2023 in participation with Enterprise Strategy Group. 

The quantitative survey targeted 350 CISOs, CSOs and other qualified executive security leader equivalents across Australia, Canada, France, Germany, India, Japan, New Zealand, Singapore, the United Kingdom and the United States.

Results show that 86% of surveyed CISOs believe generative AI will alleviate skills gaps and talent shortages on the security team, filling labour-intensive and time-consuming security functions and freeing up security professionals to be more strategic. 

Also, 35% report using generative AI for positive security applications and an additional 61% will likely use it within the next 12 months. 

Findings show that CISOs pay ransomware demands, with 99% of respondents saying their organisation experienced at least one disruptive cyberattack last year. 

Many industries experienced ransomware attacks that significantly impacted their systems and business operations, including financial services (59%), retail (59%) and healthcare (52%). 

Among firms, 83% paid the attackers in the wake of a ransomware attack, and more than half paid at least $100,000. 

The retail industry is the most likely to pay the ransom, with 95% of respondents reporting they either paid directly, through cyber insurance or a third party.

CISOs are trying to stay ahead of generative AI, and 70% believe generative AI could give cyber adversaries more opportunities to commit attacks. Yet, 35% are already experimenting with it for cyber defence including malware analysis, workflow automation and risk scoring. 

Reining in tools will close visibility gaps, and 88% of CISOs said they see a need to rein in security analysis and operations tools with solutions like security orchestration, automation and response (SOAR), security information and event management (SIEM) and threat intelligence. CISOs are looking to decrease the number of tools they use and simplify processes with automation.

CISOs are now in the C-suite. In 47% of organisations surveyed, the CISOs are now reporting directly to the CEO, indicating a closer relationship with the C-suite and their respective governing boards. 

Boards of directors are increasingly looking to CISOs to guide cybersecurity strategy, offering an opportunity for CISOs to articulate value and fill in communication gaps. The top three CISO metrics for success are results of security testing, the ROI of security investments, and the ability to purchase cyber insurance.

Boards prioritise security funding and 93% of respondent CISOs expect an increase in their cybersecurity budget over the next year.  Yet, 83% see cuts in other parts of their organisation. 

Economic challenges are impacting security with 80% saying they have noticed their organisation has faced a growing number of threats coinciding with the declining economy.

Cross-functional collaboration will be critical for a lasting resilience strategy, with 92% of respondents reporting either a significant or moderate increase in cybersecurity collaboration between security teams, IT and engineering organisations.