Top Ten: Things Learned from BT’s CISOs Under the Spotlight Study

Today, BT Security published the findings from its largest ever research project, which discussed the role of modern CISOs and areas they need to focus on in order to improve the security of their organizations.

More than 7000 business leaders, employees and consumers from across the world were surveyed for the report, highlighting changing issues in, and attitudes towards, cybersecurity that CISOs must be aware of. A headline from the report was that while 76% of business executives rate their organization’s IT strategy as excellent or good at protecting against cybersecurity threats, 84% admitted their organization had suffered from data loss or a security incident in the last two years. This discrepancy indicates there is significant complacency about the effectiveness of security programs.

Commenting on the findings, Craig Jones, director of cybercrime at INTERPOL, said: “The range and scale of cybercrime faced by governments, businesses and individuals is constantly growing. We firmly believe in working collaboratively across the public and private sector to make cyberspace a safer place, and this very much includes CISOs, who are often the first line of defense in responding to cyber-attacks. This research from BT shows clearly the increasing responsibilities and expectations placed on the CISO today, and a number of clear steps they can take to improve their protections and our collective resilience.”

So what are the top 10 things we learned from CISOs Under the Spotlight?

  1. Insecure behaviors among staff are prevalent, which is making organizations more vulnerable to cyber-attacks. In just a few examples, close to half (45%) of staff admitted they have had a security incident at work and not reported it, 15% of executives and employees have given their login and password details to others and nearly 20% of business leaders said they have a lost a smartphone they use for work
  2. There is a lack of confidence in organizations’ cybersecurity capabilities. Under one-third of business leaders said they rated their company’s IT security as ‘excellent’ while there was low confidence in the ability of their organization to deliver basic security services such as routine patching
  3. Cybersecurity awareness training is often inadequate and needs improvement. Under a third of executives (29%) rated their IT security team as ‘excellent’ in educating colleagues about the need for security and under half (45%) stated they had definitely received training on data security. As a result, just one in three employees are 100% aware of the policies and procedures they need to take to protect the security of their organizations’ data
  4. Customers regularly engage in insecure practices, thereby putting their data at risk and undermining trust in businesses. The study found that a third of consumers fail to undertake basic security hygiene such as updating software, clearing cookies and routinely resetting passwords
  5. Consumers are more willing to accept heightened security. This particular finding represents an opportunity for CISOs to enhance the reputation of their organization in the eyes of consumers. Just 16% of consumers said they trusted large organizations to protect their personal data and 69% suspected many more companies lose customers’ data than gets reported. Additionally, nearly two-thirds (64%) would recommend a large company that makes a big effort to keep their data secure
  6. Organizations are facing a growing volume of attacks. Three-quarters (75%) of executives said they have observed more security threats to their organizations each year
  7. There is a wider range of threat actors and motivations underpinning attacks. As well as facing an increasing volume of attacks, the threat landscape is widening, according to the analysis. Executives noted that their organization was at higher risk last year from professional hackers trying to steal data (49%), scammers cheating consumers (49%), hacktivists with a political agenda (43%) and the dark web selling their data (43%)
  8. There is growing recognition of the need to improve cybersecurity practices. Encouragingly, there is increasing maturity amongst consumers when it comes to tolerating security measures, with over two-thirds (67%) saying that security is more important than convenience when dealing with organizations. This indicates organizations shouldn’t be afraid to impact on convenience of users if there is a clear security benefit in doing so
  9. There are no clear distinctions between age groups’ attitudes to cybersecurity. The report had mixed results among different age groups in terms of their responses to cybersecurity threats. Generally, younger people felt more vulnerable online, while older consumers were least concerned, with the latter claiming to behave more securely. Although younger people were more likely to prefer convenience over security, the survey found they regularly displayed sophisticated security behaviors such as having alias accounts for email
  10. Security leaders need more internal visibility. Worryingly, under half of executives and employees were able to name their organizations’ CISO (or DPO). As a result of this lack of visibility, just half of executives said their colleagues will involve the CISO when appropriate

The report emphasises that the traditional role of a CISO needs to adapt. Rather than simply being focused on maintaining the security of the network and corporate data, they need to push themselves to a major strategic role in their organization, driving enhanced cybersecurity in a way that is visible to consumers.

Kevin Brown, managing director of BT Security, added: “This report provides a number of clear examples of how CISOs are expected to provide leadership across an ever-growing number of areas. The huge increase in the pace of digital transformation during 2020 has not only further erased the traditional parameters of the role, but also intensified the scale and complexity of threats to protect against. As a result, CISOs must ensure that they have the visibility that not only makes them the first port of call for security incidents, but also ensures they’re placed at the heart of strategic decision making and planning.”

What’s Hot on Infosecurity Magazine?