67% of CISOs feel their organizations are unprepared for today's cybersecurity regulations
Onyxia Cyber today unveiled its Regulations, Reporting and Risk Management: The Voice of the CISO 2024 report. Based on responses from over 200 CISOs across a wide range of industries in the United States, the report provides a deep dive into the mindset of today's CISO, and how compliance risk, AI opportunities, and business decision-making are impacting the position.
The job of a CISO has changed dramatically over the past few years. What used to be a technically minded cybersecurity role has evolved to include a greater emphasis on security strategy and quantifying and mitigating business risk. With compliance regulations adjusting to meet an evolving risk landscape, and the cost of a breach growing year on year, executives realize the importance of saving a cybersecurity seat at the table.
With the new stringent regulations including the SEC's cybersecurity disclosure rules in the USA and the Digital Operational Resilience Act (DORA) in the EU, a significant challenge is emerging for many organizations. A startling 67% of CISOs report feeling unprepared for these new compliance regulations, while 52% admit to lacking sufficient knowledge on how to report cyber attacks to the government.
"As cyber threats escalate and regulations impose heavy penalties for non-compliance, it's imperative for CISOs to reassess and strengthen their security programs in a data-driven way. Our survey reveals critical industry benchmarks, highlighting areas of strength and significant gaps that need urgent attention," said Sivan Tehila, CEO and Founder of Onyxia. "CISOs must enhance their preparedness, improve security hygiene, and embrace new technologies like AI to better maximize their existing security tools and protect their organizations."
Additional Key Findings:
- Incident Response Plans: Over half (56%) of the surveyed CISOs admit discomfort with their current incident response strategies, indicating a significant need for improvement in handling cyber incidents effectively.
- Board Communication: 67% report having difficulties in effectively persuading the C-suite of their security strategies and securing buy-in for their initiatives. Interestingly, only 19% of those who have been a CISO for 5+ years find it very easy to share their strategy with the executive board, while 40% of less experienced CISOs say the same.
- Security Hygiene: Basic security measures, such as multi-factor authentication (MFA) and strong passwords, are not universally implemented. CISOs consider an average of 11% of user accounts with weak passwords and 13% without MFA as acceptable, highlighting areas for improvement.
- AI Integration: 84% of CISOs currently measure the effectiveness and performance of their security programs with either spreadsheets, analysts, or a combination of the two approaches. Despite a reliance on manual methods, CISOs see potential in AI. Ninety-seven percent (97%) believe AI can enhance risk management, with 54% believing AI capabilities could help them in identifying gaps and redundancies in security stack coverage and 42% anticipating AI's role in automating business-level risk reporting.
"Our industry is going through an evolution phase," said Chris Roberts, Onyxia Cyber CISO Advisor. "This time the maturation of our industry is at a point where business drivers, leadership conversations, legal, compliance, regulatory, and accountability conversations dominate over most other concerns. This report paints an honest picture of where we're at, what we've done, and what we have left to do."
For more information, please download the full report.