Chief Information Security Officers (CISO) may be starting to make an impact in North American companies, according to a recent survey by an anti-virus software vendor which also found that cyber security professionals tend to be very confident of their ability to handle data breaches in 2015.
ThreatTrack Security Inc., of Florida, surveyed some 250 IT security professionals from large United States-based companies and found that security professionals are “demonstrating high levels of optimism and confidence,” despite the onslaught of cyberattacks businesses faced in 2014.
This optimism, the company said, appears to stem from a sense that “senior management, which may have been more reticent about cyber security spending in the past, is ready to make the necessary investments.”
Another part of the study dealt with the evolving role of the CISO. ThreatTrack noted that results of its June 2014 survey found that C-level executives “overwhelmingly misunderstand and underappreciate the CISO role.”
This more recent survey, conducted in October this year, indicates a shift in perceptions.
“For one thing companies with a CISO are 25 per cent more aware they may be targeted by cybercriminals in 2015 than those without a chief security leader,” the report said.
In organizations with a CISO, 75 per cent of respondents said they are more likely to suffer a cyber attack, compared to only 46 per cent of companies without a CISO, and 69 per cent of all respondents.
ThreatTrack also said having a CISO in the organization also appears to have a direct relationship with how organizations plant to invest in cyber security.
The survey found that companies with a CISO are twice as likely to expect to spend considerable time in integrating new solutions to existing cyber defences in 2015.
“This indicates that CISOs are successfully making the case for new technology investments for 2015 to the point where security professionals are already factoring it into their plans for the year, as well as counting on those investments to enable them to better prevent data breaches,” the report said.
As many as 56 per cent of respondents in companies with a CISO said they will update security policies as recommended by their CISO. Nearly all (98 per cent) of respondents in companies with a CISO said they believe senior management will listen to the CISO’s security recommendations.
By contrast, companies without a CISO put plans to replace ineffective endpoint solutions at the top of the list of their cyber security investments.
“This indicates that organizations without a CISO are still pursuing a traditional IT security model,” ThreatTrack said. “They recognize the fundamental importance of endpoint security and enterprise antivirus as a component of cyber defense, but they lack the foresight or ability to invest in next-generation malware defense.”