Senior security leaders are under continuous pressure to protect their organizations from threats. Our 2021 Leadership Perspective Survey data suggests that CISOs are also focused on how to communicate risks with their boards and peers. The data also shows where CISOs have shared goals and challenges across the C-suite, leading to opportunities for collaboration and networking. The overwhelming challenges of 2020 led to numerous productive discussions in which Evanta communities hosted 204 virtual events for 7,600 CISOs.
This year, uncertainty is still a concern for business, security and technology leaders. CISOs continue to face unrelenting security threats amidst a rapidly changing environment. They also anticipate managing hybrid workforces and a multitude of vendors, while they try to stay ahead of shifting targets and improve the maturity of their security programs.
Cloud Security a Top Concern
Interestingly, CISOs from Evanta communities around the world shared that their top priority for 2021 remains cloud security, strategy, and architecture -- the same as they reported in 2020. Several areas of focus have remained the same or shifted only slightly for security leaders.
In early 2020 before the pandemic, all things related to the cloud, including system migration, architecture, strategy, data, and security were still the number one priority for CISOs. Controlling user access and communicating about risk rounded out their top priorities early last year.
This year, we also looked for commonalities in their specific goals for cloud initiatives (75% indicated mitigating risks) and the challenges they foresee in achieving them (61% reported a lack of skills).
CISOs are protecting against unauthorized access to critical data stored in the cloud, staying ahead of compliance and legal requirements, and being thoughtful about introducing additional third-party vendors into their networks.
Goals for Cloud Security, Strategy, & Architecture
75% Mitigating risks
48% Expanding digital business & increasing maturity
47% Improving processes & efficiencies
Challenges around Cloud Security, Strategy, & Architecture
61% Lack of skills
50% Quickly changing landscape
43% Lack of resources
Some concerns that CISOs shared anecdotally about cloud security include the following:
Are we taking on more risk by moving to the cloud?”
It’s easy and fast, but it’s public.”
What is the governance around this?”
There are a lot of people moving to the cloud to cut costs and are taking on more risk than they realize. We need to explore how to ensure cloud security.”
85% of CISOs said they wanted to discuss strategies on cloud security over execution (69%) and leadership (29%), a distant third.
How to Communicate Risk
Another top priority for security leaders this year is how to measure and communicate risk to other C-suite leaders and the board. Much like securing the cloud, communicating about risk was among CISOs’ top three priorities for all of 2020. These are their goals and challenges:
Goals for Measuring & Communicating Risk
72% Mitigating risks
64% Improving metrics & KPIs
53% Making data-driving decisions
Challenges around Measuring & Communicating Risk
43% Company culture
42% Lack of resources
31% Quickly changing landscape
CISOs told us their specific communication concerns, including the following:
Defining the key metrics on what to score and how to relay this to the board.”
How to communicate risk to the business in holistic terms: cyber risk, market risk, sales risk.”
How can you map the security investment into the risk strategy? Translating that risk into financial terms would help to get the buy-in of the board.”
As one CISO said about risk communications, “It’s never-ending.” They are interested in learning more about this topic from a strategic perspective (71%), and also from a leadership point of view (61%).
Executing User Access and IAM
CISOs are staring down increasingly complex IAM challenges -- both internally and externally. CISOs are working to embed security practices into the organizational culture, but also manage the challenges inherent in a remote work environment. Nearly the same number of security leaders indicated that their top goals are improving processes and mitigating risks.
Goals for User Access / IAM
76% Improving processes and efficiencies
75% Mitigating risks
44% Optimizing the customer experience
Challenges around User Access / IAM
59% Legacy technology
41% Lack of resources
34% Lack of skills
Some topics that CISOs specifically want to discuss on access management include:
Should we be focusing on device protection or information protection? I believe we are losing the war against the devices and strongly believe we have to shift the mindset. What does the balance look like?”
There is a big thing about policy, which sits above all these topics. Is everything aligned? Security awareness is about influencing behaviours, but so is policy and implementing technologies.”
It would be helpful to exchange information on the new approach we should take because of moving to the cloud and how access controls should be deployed in the Zero Trust environment.”
What Lies Ahead
Across all of security leaders’ top priorities for 2021, their primary goal is to mitigate risk. But as one CISO noted, “Getting a holistic picture of threats is difficult.” Most often mentioned next is their objective to improve company processes and efficiencies. The most cited common challenges are staying ahead of the quickly changing landscape in which they are operating and their company culture.
Leaders across the C-suite increasingly understand the need for security measures and risk management, meaning that senior security leaders are not alone in the fight to secure the business. Security measures are everyone’s responsibility internally, and CISOs could partner with CIOs and CHROs to drive awareness and adoption. As one CISO stated, “How do we get everyone in the business on board with following the right security processes? We need to have accountability across all the business lines, not just IT.”
Recruitment and retention of employees and the next generation of security leaders are other areas in which CISOs could work cross functionally with their HR peers. According to Gartner, by 2022, 30% of all security teams will have increased the number of employees working remotely on a permanent basis.” It will be crucial for CISOs to help influence remote work policies and procedures that impact their teams.
In addition, a little less than half of CDOs in our survey identified “creating a cloud or hybrid data strategy” as a top priority. That could create another opportunity for CISOs to partner across the C-suite with CDOs to further their cloud, security and architecture initiatives.
The CISO role continues to be integral to overall risk management within organizations, opening the door for security leaders to grow their influence across the business and collaborate with their C-suite peers. As one CISO noted, “Relationships matter as you are ascending to the CISO role.” As CISOs continue to be risk managers across the business, they will have opportunities to break down barriers to support the entire enterprise.
Based on more than 800 CISOs’ responses to Evanta’s 2021 Leadership Perspective Survey.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.