UK digital transformation consultancy Gemserv has published the findings of its latest CISO report, The Future CISO. The report has been compiled after its second annual survey of chief information security officers (CISOs) at 200 large UK & EU enterprises, across a range of sectors including financial services, energy, retail, IT and manufacturing.
Most leadership boards expect the cybersecurity landscape to become more complex, and believe that the risk of attacks on the UK businesses is increasing, yet most CISOs believe boards are overconfident of their understanding of the issues, and are failing to provide CISOs with the support they need to properly protect the organisation, its reputation, and its customers from data breaches and cyber attacks.
Gemserv’s Director of Cyber and Digital Mandeep Thandi said: “Given the significant impact a cyber breach can have on organisations, including potential damage to reputation and share price, it’s encouraging to see CISOs have elevated cyber security to a board-level concern rather than it remaining an IT department issue.
“Confidence among CISOs in their ability to manage these threats remains low. They anticipate an increase in both the volume and sophistication of cyber attacks. At the same time, IT leaders face mounting pressure to rapidly implement transformational technologies such as cloud computing and GAI, which can heighten an organisation’s attack surface and therefore vulnerability to cyber threats.”
Key findings:
• 72% of organisations are actively incorporating AI into customer-facing products and services, but 37% of CISOs say they are not confident the business fully understands the risks
• 48% of CISOs describe the board's general understanding of risks as ‘excellent’, a significant increase from 2023 (37%) but 62% believe that staff lack the required knowledge and training to avoid a breach
• 79% of large enterprises invest in specialist cyber threat intelligence for CISOs, but the remainder rely solely on the press, social media, vendor marketing and regulators for information, which is not real-time and can be less reliable
• 88% of CISOs think the threat landscape is becoming more complex, with 37% not confident they have the resources they need. 44% struggle to recruit and retain the skilled people they need, amid a 3.2m ‘workforce gap’ for IT talent
On the positive side, compared to last year’s findings, there has been a rapid and marked improvement in board-level awareness, driven by
• new legislation such as GDPR and the introduction of pan-European standards such as the NIS Directive
• more CISOs moving upstream to take seats on boards, and increasing awareness of the wider reputational and business impacts beyond IT disruption
• increasing media coverage and awareness of the damage that can be caused by high-profile cyber attacks, such as those on British Airways, Marriott, SolarWinds, CrowdStrike and many more
• the roll out of more frequent, higher-quality training and the growth of better data security culture within large organisations
• increasing dependence on potentially vulnerable, but business-critical technologies that power cloud computing, remote working, and applied AI
Gemserv’s Director of Cyber and Digital Mandeep Thandi added: “While huge strides have been made by UK business to enhance their cyber defences and protect themselves against breaches, these findings show that the majority of UK enterprises remain largely unprepared for the year ahead, and should review their cybersecurity strategies as a matter of urgency.”
The report recommends a five point checklist for boards and CISOs to audit their preparedness for attacks
1. Create a business case for cyber security investment based on the direct and indirect costs of a successful attack (ransom fees, damage to share price, reputational damage, cost of downtime, cost of repair).
2. Routinely review business continuity and attack response plans at board level, whilst making continual investment in building a security-conscious culture through the organisation, backed up by habit-forming training and a zero-trust approach to all new technology
3. Provide CISOs with an emergency budget to access in the event of attack, as well as flexibility to review investments and change course during the year as the threat landscape changes
4. Involve CISOs in all technology procurement processes, ensuring vendors are only selected if they meet specific security thresholds, and that any third-party technology is continually monitored to ensure it maintains the standards
5. Immediately consider investment in three core areas, if not already: GAI defence technology - to mitigate GAI attacks; Managed Service Security Providers (MSSPs - to outsource and mitigate for skills gaps; and specialist Cyber Threat Intelligence software - to predict and prevent the majority of attacks.