Hello, reader - Logan here. I thought I'd take a detour from our usual content and throw a bit of a curveball today.
Look, useful or not, these blog posts are pretty boring. I get it. You aren't reading them, and I wouldn't either, because we both know what we're doing, and we both have an actual job to do in our 9-5, or worse, 7-11, instead of diving into another "10 Top Cybersecurity Controls Failures and What To Do About Them" or "What Makes Your Cyber Incident Program So Impactful".
My team and I have all been in cyber for over a decade, and you trust us with your cybersecurity - rightly so. It's a complex field that requires years of experience and dedication and is highly specific to your unique situation, threats, attack surface, initiatives, controls, GRC landscape, budgets, and much more.
Ironically, this also makes it challenging to produce awesome, relevant, and readable content, even though we'd love to do just that.
All that said, I do read a lot - all the time, actually - and I recently came across some CISO stats, based on a survey of ~ 500 US and UK security leaders, that I found fairly fascinating, and I thought you might too. Sue me, I'm a nerd.
So, without further ado, the stats, and my, potentially unnecessary, commentary.
Controlled Chaos
61% of security leaders have suffered a breach because of failed or misconfigured controls in the last 12 months. We're starting to hear this kind of sentiment more and more often, which feeds into the narratives of:
"More tools" these days does not necessarily equal "better protection", which is why we've launched this thing, and
The usual "when-not-if" narrative regarding breaches, which is...why ORNA exists as an IR and TTX orchestration tool. So, it's comforting in a weird way, because the industry is arguably due for some kind of a reckoning.
67% agreed that they needed to trade off risks because it was impossible to protect everything. It appears to me, there might be a correlation here with insufficient budgets and staffing. But then again, risk management has always incorporated various forms of dealing with risk - acceptance, transference, and so on - depending on the impact on the business in case this risk materializes, so this isn't necessarily as alarming as it seems on the surface. The question is, does this involve trade-offs between equally critical risks? Is there even a solid awareness as to what they are?
On Combatting Hidden Risks
46% of the team's time, on average, was spent on reporting of one type or another. That's...a lot of reporting, although it seems down from 59% in 2023, which is a good thing. This kind of burden likely greatly contributes to the team's burnout and lack of motivation, as we certainly didn't get into this field out of passion for writing reports. I reckon, increased scrutiny on the value and performance of security investments (source: Evanta) is exacting a heavy price in reporting time, while the automation, metrics, and risk management to cope with it, plus the controls sprawl, are still not mature enough within many enterprises to be robust.
70% said there are too many unknowns to get a clear picture of their risk. Well, that's cyber. Known unknowns, unknown unknowns, and so on; these aspects of risk can be hedged with various forms of failover, disaster recovery, business continuity, redundancy planning, crisis and incident response controls, and so on, but the uncertainty is only likely to grow going forward with the growing increase in infrastructure complexity and the proliferation of AI-enabled threats.
67% agree that specialized tools for cyber analytics aren't good enough. Unsurprising to hear, because these tools must rely on ingesting information from dozens or hundreds of security controls, which may be poorly integrated, misconfigured, malfunctioning, ovelapping, or simply absent. Unless the whole ecosystem is incredibly robust, awesome centralized analytics tools are likely a practical impossibility. We must approach this from the bottom up.
CISOs Unite
90% of CISOs are being asked to give more assurances on security controls than ever and face more scrutiny than ever before. I understand the urge for regulators, Boards, and the executive suite to try and tighten the screws on cybersecurity through essentially GRC controls, but I feel like we might be approaching the area of diminishing returns at this point. The method here needs to be holistic (God, I hate this word), instead of misapplying red tape and 10X-ing reporting requirements. As with many things in life, we can't have it all - not at the same time, anyway - and it's a common reasonable perspective that ultimate security is the enemy of usability, thus hurting the business in other ways.
75% of CISOs believe they face greater personal liability; as a result, 72% have some personal indemnity protection in place, with another 20% seeking to get it next year. 13% are actually paying for it themselves. That last one blew my mind, and just isn't fair. I struggle to find another similar-ish field where, barring gross negligence or malice, the professionals themselves might face personal consequences for doing their arguable best in situations where a good amount of factors are outside of their direct control. I suppose the SEC charging SolarWinds' CISO, Robert Brown, with fraud, alleging misrepresentation of the company's security practices and controls, set a certain precedent - and, in that particular case, I would imagine the principles of gross negligence, fraud, and/or malice apply - but I don't think we should broadly normalize this, much less put in the form of regulatory controls. OK, maybe - maybe - with specific exceptions when it comes to critical infrastructure, defense, and such. But still, it's a slippery slope in an increasingly complex and stressful industry.
Hug The CISO Next To You
47% of CISOs are feeling more anxious, and 15% are considering leaving the industry. Well yeah, I would also consider getting into farming, if there was a constant potential threat of massive personal liability hanging over my head, combined with an increasing amount of workload and that sinking (ha-ha) feeling that you are Jack Sparrow in that POTC intro scene. In fact, I have. But what would the industry do without us? :)
That's all I have for today. Thank you for being our customer and/or friend, and please feel free to reach out to our team to make your 2025 cybersecurity journey just that little bit easier.
Truly yours,
Logan Wolfe, CEO
Comments