THE CISOs' NEW

DAWN

Chapter 2: A reality check

Introduction

While the events of the past year may have accelerated the rise of the CISO to a senior position, this pace of change has a price. Added recognition and responsibility is great, but it often comes with a laundry list of fresh challenges.

In this chapter, our panel consider accountability, culture, board engagement and the need to move from cyber as risk mitigation to a creator of business value.

All managers, not just security specialists, must take accountability for understanding the impact of cyber security on their departments. Allied to this is the need for open cultures and security charters. Ensuring the board is engaged with cyber security emerges as a pressing topic.

There’s a big difference between being handed more responsibility and having the resources to do something about it. For that matter, responsibility is often a separate thing from recognition of the value of one’s work.

Part of this issue is concerned with both how cyber security is viewed by different organizations, and about its position in many workplaces as a business function. Demonstrating a return on investment or risk avoidance value remains a challenge.

Compounding the problem is the nature of news coverage when it comes to cyber security: awareness of risks and threats is a good thing, but it can be a double-edged sword. Knowing of a problem at board level without any understanding of its relevance to an organization, or how to go about reducing risk, can make life hard for a CISO.

Question #1

Do you believe that cyber security has transitioned over the past 12-18 months in operational relevance?

Seventy-three per cent of the CISOs taking partin this report said they believe that cyber security continues to gain operational relevance, although

it demands a ‘security first’ approach across the business. The challenge with maintaining the operational relevance of security is that, although a high average of the CISOs (6.6) indicated they believe cyber security had become more relevant to their organization, they didn’t think it would increase visibility: 28% of respondents scored 6.0 or below for the belief that cyber security will not become more prominent unless the growth in digital competence and new working from home practices increase the recognition of the role of security.

There was a higher level of optimism in the US, where 82% of respondents scored the regional average or higher (7.1), compared with 57% of European interviewees, who scored an average of 6.0 or higher.

"I want to be better than my competition. But as we become more digital, we have a wider threat surface."

- Hitesh Patel, Head of Cybersecurity, Cloud Computing & Digital Infrastructure Audit & Risk, Fidelity Investments

Security teams in larger enterprise companies show relevance to the operation of the business; CISOs in these organizations have closer, broader and more diverse access to senior management, and this helps them deliver organization-specific reporting to track and respond to operational activities relating to cyber security. This is useful when it comes to reassuring regulators and clients.

"Operational risk is the way forward, tied to business metrics and anchored in good models, methods and processes."

- Simon Goldsmith, APAC Information Security Officer, Adidas

Panelists hailing from small- and medium-sized organizations (SMBs) said operational relevance continues to be minimal. In contrast to bigger businesses, they see security classed as ‘just another’ IT function. Many cyber security officers for these smaller organizations refer to traditional risk measurements such as business impact analysis (BIA) and many of the data and system recovery point and recovery time objective measures. Because these organizations are using older risk measurements, they may not have an accurate picture of cyber risks to their business – or the data points to work out what to do about them.

The interviewees who made these observations are pushing their organizations for security to be taken more seriously so that [security] risk is effectively considered as part of business metrics.

"I believe people’s awareness of security has increased, which has in turn brought security teams closer into the discussions around operations."

- John Scrimsher, CISO, Kontoor Brands

Show a CISO a budget and there are plenty of things they’re happy to spend it on. But senior management rarely sees things that way: budget requests from the CISO are often seen as requests for technology spend, rather than for equally vital operational and resource priorities.

"Cyber crime has necessitated an increase in cyber resilience for organizations - more proactive than reactive. Having defense in layers and the right people over processes over technology is key."

- Chani Simms, CISO, SHe CISO Exec

The approach required now for cyber security, like other functions in a business, needs consistent alignment to operational risk and to increase its relevance. Standalone organizational risk reports that align to operational relevance may exist but, unlike security posture frameworks from NIST and MITRE ATT&CK, all CISOs continually struggle with identifying and implementing a repeatable industry framework. The use of such a framework would increase cyber security return on investment and align more clearly with the varied types of business risks that executives understand.

"Cyber security can consume as much budget as you give it, but there is no ROI about the risk that it will manage."

- Matt Stamper, CISO, Evotek

CISOs are not without ideas, but they need to approach and communicate with clarity

The CISO’s role is often viewed – from arm’s length,at least – as complex and technical. But senior and operations management personnel need to recognize that the majority of the protection provided is to secure authorized access, sharing, and manipulation of ‘data.’

Using data regulation as an example to align cyber security to operational relevance can help toraise awareness and therefore garner support for understanding, interest, and profitability conversations at board level.

Business leaders are not failing to recognize cyber security as a key part of operational relevance. However, CISOs in this study reported more direct questions from their CEOs about incidents – and if such incidents affect the operational availability of the business. Cyber risks can immediately compromise the security of customer, employee and partner data – and that can lead to damaged reputations and threaten future success.

Efficacy of security products

One statement, reiterated many times by our interviewees, points the finger at the efficacy of cyber security vendors. Software and hardware security products are written with zero liability; any recourse of culpability invariably rests with the CISO instead. This response is confirmed by Debate Security’s October 2020 Cybersecurity Technology Efficacy report.

Question #2

Are your leadership teams more, or less, engaged with IT security teams?

The range of responses to this question highlighted varying degrees of engagement.

"Especially as the customer agenda had changed so they have had to change. The challenge is: was it security that increased the engagement or was it the CISO?"

- Andrew Rose, CISO, Vocalink (A Mastercard Company)

 

Leadership teams are keener to engage more with our CISOs and their security teams, according to our respondents. Almost two-thirds (65%) of the CISOs believe there has been a positive move to engage more with their teams. Both regions averaged 6.5-6.8, although more US CISOs (73%) scored at or above their average.

The heightened importance and coverage of security in the business and across the respondents’ chosen industries has started to affect a changed engagement over the past 18 months. Commonly, when researching across different industries and sizes of organization, the more positive indicators come from those organizations with a flatter hierarchical structure.

"Yes they are more engaged - because we have a very engaged CEO who wants to know about context."

- Anonymous CISO

"Less engaged. Security is considered one step below relevance."

- Nathan Reisdorff, CIO, New England Law

CISOs suggested that it can be easy to assume that everything should be naturally aligned and that every employee from the top down takes an interest in cyber security across all roles, but this is never the case. Often, a positive outcome depends on CISOs applying pressure and communicating with convincing arguments before the engagement happens. Many of the CISOs believe that all leadership individuals could do better.

Those respondents that reported a positive engagement – for understanding the value of security teams and their concerns – believe that it is driven from the CEO down. These organizations have security councils with regular monthly and weekly meetings, engaging with other technical leaders, such as the CTO and CIO, providing valued input to board meetings.

Lack of understanding is still a barrier

Some CISOs reported that security is still perceived purely as an IT function or a cost to the business, with
no tangible ROI aligned to various business risks. Organizations where this perception was noted – and also where the CISO reports directly to the CIO – appear to suffer additional barriers primarily associated with lack of visibility and no direct access to senior management, which restricts accessibility to the security team.

Many CISOs noted that high-profile incidents such as ransomware infections raised awareness, but this often only created a short-term change or lip service. When CISOs ask senior management about their interactions with the security teams, they say they are more engaged with the teams, although many CISOs are not observing any evidence. 

Question #3

Have board priorities and attitudes changed regarding the importance of cyber security protection?

CISOs must continuously deal with a variety of board perspectives regarding the importance of cyber security protection.

While 78% of the CISOs scored our question highly (between 6-10), only 10% believe that board priorities and attitudes have changed at the highest level (scoring 9 or 10), leaving much more work to be undertaken.

"It used to be about qualitative risk in the past, but this has changed because of regulatory implications to the board."

- Todd Gordon, Director, Information Security, EisnerAmper LLC

Many (69%) believe that boards, investors, and CEOs now understand that cyber incidents – and the reporting of them – could negatively affect them at any time. Stiffer regulatory enforcement and the threat of severe monetary penalties means that cyber security, when aligned to these requirements, has a greater top-down priority and needs to be taken more seriously.

Several of the CISOs we interviewed report that, when they first joined their employer, it did not have an appropriate security culture. Rectifying this required a persistent program of communication, metrics and education. CISOs have had to learn to convey the value of cyber security at the highest (spoken) level. In many cases, the conversation has needed to be constructively argued, or any appreciation is only recognized after the company has experienced a cyber incident.

In contrast, those CISOs working within organizations with more proactive boards believe executives at the top understand the relevance and detrimental effect of a cyber incident to their organization.

Proactive organizations have set a strategic direction for security via regular security board meetings (chaired by the CEO or COO) that informs how they should approach business operations and their cyber security priorities. They are also learning to understand their own liability and insist that CISOs build closer working relationships with the risk management teams, adopting both a qualitative and quantitative attitude, to ensure their company can mitigate or respond directly to negative stories about them or their industry in the headlines.

"I do believe that [awareness of the impact of cyber attacks] is starting to change across organizations, as a breach could have far reaching impact on brand reputation. Boards are starting to pay attention to Zero Trust and Defense in Depth strategies."

- Royce Markose, CISO, rewardStyle

 

The mid-range of acceptance covers those boards where attitudes have changed, but the CISOs are still unsure if it really is a priority. In many of these cases, CISOs who spoke with us believe that the reality of the security debt their organization has built up will hit home when a breach affects their organization’s brand and reputation, triggering unprepared and reactive responses to previously ignored risk. This doesn’t stop some organizations insisting that security teams are able to make do with the same resources. Many CISOs will not have the tools or skills to deal with incident response or minimize the impact on the business. With limited or no top-down direction, CISOs do not have the full picture that identifies what to protect (including unknown shadow IT) and what the impact of an attack may cause.

At the lower end (21% scoring 1-5), our CISOs report that some boards remain convinced they can solve any risk with traditional security management. A regular comment from our panel was that this type of board only wants to see security as a lower-priority cost to the business, and can be consequently unreceptive to the reporting of cyber security issues or risks. These boards may change their minds after an incident (if, indeed, they are still in their roles). However, the CISO also worries that any lessons learned following an incident may be forgotten, with no further recurrent investment or cultural changes applied, leaving the company open to further cyber incidents.

Our CISOs believe that for boards to prioritize and truly understand the significance of cyber security to their business, they must adopt the best practices from CISOs in the larger organizations and establish a cyber security board that is chaired by the CEO.

Question #4

What are your beliefs about cyber security as a board discussion?

The topic of cyber security and the board is probably one of the most evergreen. Although the CISOs scored predominately in the upper range (6-10) with an equal balance across the two regions believing that board- level conversations are a priority, surprisingly, the respondents had diametrically opposed contextual views on the subject.

"Cyber security is one of the multiple risks to the business; we have a cyber security board committee chaired by the CEO."

- Hitesh Patel, Head of Cybersecurity, Cloud Computing & Digital Infrastructure Audit & Risk, Fidelity Investments

In one corner, CISOs strongly believe that cyber security is one of multiple risks that all businesses have to contend with, and that these are owned by the top of the organization. As we’ve seen from earlier questions, some CISOs already had a seat on the board, or work with board committees that tackle cyber security, allowing them to relay security risk. This board-level inclusion has not come easily. The majority of CISOs have had to wrangle to establish high-level engagement around cyber security risk management, in the same way that their peers huddle to discuss legal, finance, and human capital risks with a collaborative objective to set expectations and agree KPIs.

"It needs to be an integral part of business and security risk discussions. The board should be learning about risk as a possible impact to the business and shareholders."

- Scott Goodhart, CISO Emeritus, The AES Corporation

In the opposing corner are the CISOs who continue to push cyber security as a board-level discussion but see a general inability for boards to recognize the criticality of cyber security in business operations, focusing instead on the ‘other higher priorities in the business’ directly associated with revenue generation. They believe that this shows senior management’s lack of understanding of the risk exposure that comes with some of the higher priorities, such as increased digital adoption.

"Security is seen as a compromise with business efficiency, so we find the middle ground to compromise, requiring us to be more flexible in effectiveness and implementation."

- Ian Dudley, IT Director, DriveTech

The CISOs acknowledge that maturity curves exist from both a governance perspective and numerous international standards for maturity and risk frameworks, but they do not have an accepted framework for board- level governance for cyber security. This lack of cyber security governance can provide more skeptical senior managers with an easier path to resist the need to change.

Our panelists made the point that cyber attacks can be near-constant. And in stark contrast, other risks in the ERM framework – e.g., property damage, currency risks, or product failure – are far less frequent.

"There should be a flow of information in both directions, rather than just from CISO to the board. The board should create the expectation and educate the company on what types of questions they would like answered."

- Gene Zafrin, CISO, Renaissance Re

 

Another unhelpful factor to come up again is the media, and its high-level (but sometimes context-deficient) coverage, which can make matters complicated for the CISO. Those board members who do not understand the language of cyber security can be put off by perceived technical complexity. Further, the combination of reporting and an inability to ‘direct down’ to CISOs with the right questions can create a situation in which it is difficult to track the effectiveness of cyber security. Focusing on the latest news headline – without understanding how it corresponds to actual business risk – can make it difficult for non-technical executives to fully engage with cyber security. But at the same time, non-technical executives appreciate that high level of caution (Zero Trust) may help to protect consumers, employees and business partners. This latter insight suggests that half the battle is already won, but there is still some way to go to win over some non- technical parties on other areas of cyber security.

When a board member asks, ‘how secure are our systems?’ the CISOs believe that there is a desire to understand the complete answer with all risk factors and implications fully appreciated. But in truth, this would be a challenge for any non-security leader.

CISOs in both corners have to continually take ownership to educate the board and encourage engagement that will enable understanding, quantifiable measurements, and visibility for the operational risks that a cyber attack or incident can impact. And board members could be more appreciative of the digital competency required in modern business (and therefore the modern threats that they will be susceptible to).

"They  think  they want to know 'how secure is our system?', but any answer that’s not 100% leaves them open. What they really want to know is 'are we doing enough?' Trusting your opinion helps answer that."

- Andrew Rose, CISO, Vocalink (A Mastercard Company)

Communication between the CISO and the board must not be a monologue, or a one-way trust request. Regular conversations are essential to set and maintain quantifiable measurements. These discussions need to be comprehensive and to the point, in a language and tone that can be clearly understood. Once this style of dialogue is established, it creates a conduit for continuous performance monitoring and higher overall gain. Better understanding can help other personnel to be more involved, and identify and raise potential cyber security issues. That could be an encouraging shift from ‘siloed security’ to more proactive ‘business team players’ across the business.

Question #5

Do you believe that cyber security is treated as a business enabler or a risk mitigation practice?

Every CISO would love to break down cyber security barriers and become a critical path for enabling business activities. It was clear during this study, however, that this is wishful thinking. A majority (72%) of the CISOs scored 7.9 on average and continue to see cyber security as a risk mitigation practice by the business. Around a fifth of CISOs say they are making progress towards shifting internal perception of cyber security towards it being a business enabler. That said, none believe they have completed this switch: not one respondent scored in the 1-4 range. The general perception is that identifying business enablement alignment is a pipe dream for the majority of organizations.

It seems that CISOs and their CEOs see cyber security predominately (79%) as a risk mitigation or compliance practice. Ideally, when invited to contribute, cyber security is considered within an enterprise risk management framework, the primary task being to reduce negatives rather than add positives. There are a very small number of industry-specific occurrences, such as legal firms and other types of service-based organizations, that can provide cyber-centric value-added services (SOC2) as a business enabler.

For some organizations, successful compliance is a minimum requirement

In this context, good security is a business enabler because it aids compliance. An example is SOC2, which applies to technology-based organizations storing customer data in the cloud, such as personally identifiable information (PII), health data (PHI), and credit card information (PCI). In these cases, SOC2 is one of the most common compliance requirements that technology-focused companies must meet today to operate legally. Other compliance requirements can vary depending on location.

Respondents agreed that a level of internal misconception is being assumed, where individuals are interpreting cyber security as a business enabler, solely down to any increased security awareness and the involvement of the security team at the start of projects, which are still directed by the IT team. Peers of the CISO accept that a cyber incident could disable some or all of business operations, but they are not embracing a ‘security-by-design’ operation that could encourage consumers and business partners to engage with the organization. When you combine strong cyber measures to mitigate an attack, ‘security-by-design’ organizations will align correctly to business enablement.

"At the moment [cyber security] is a risk mitigation. The business is starting to understand how it can be a business enabler, but it’s not in the innovation area at the moment."

- Mauro Israel, Corporate CISO, ORPEA Group

The challenge of conveying the ROI of cyber security

Without the instance of a mitigated attack, cyber security offerings do not have an immediate demonstrable ROI for the top or bottom lines. The financial benefits of robust cyber security implementations come from not having to pay ransomware, regulatory fines, or suffering the loss of customer confidence after a breach.

It is all too easy to work on the assumption that cyber security is a cost of doing business, rather than a cost of business. Consequently, there is a requirement for better understanding and business application regarding cyber security.

We have already talked about how non-technical staff can be helped to realize the benefit of having a more secure system environment in which to work with email, web, and access and identity security tools.

"Our SOC2 certification provides a good standard and testing, verifying to clients and selling to new clients. Although risk mitigation is still emphasized, and our exec board need to understand how we are dealing with it."

- Todd Gordon, Director Information Security, EisnerAmper LLC

But the other side of this is that no matter how experienced and knowledgeable CISOs are, very few of them truly understand how to use cyber security to increase the opportunity for their business. The good news is that many are open to understanding the correlation and how it can make budgeting easier and lower the perception that their role and its associated technologies are only a cost to the business.

What priority do you place on responding to cyber security coverage in the news?

"It’s important to stay advised of new threats but take everything with a grain of salt."

- Todd Gordon, Director, Information Security, EisnerAmper LLC

CISOs view media coverage of cyber security incidents as a double-edged sword: beneficial but also distracting. If the coverage is relevant to their industry, they can prioritize the content and provide their own context. But many respondents saw most coverage as either too high level or part of a theme of cover, rinse, wash, repeat. This was reflected by half the CISOs we spoke with scoring between the mid-range (4-6) available. But numbers can be deceiving; 64% of US CISOs appear to acknowledge the relevance (scored 7-10) of cyber security coverage, three times more when compared with only 21% of their European peers.

"News can help - and distract. We leverage Threat Intelligence over news. If it’s in my industry, we need to understand how it might affect us."

- Hitesh Patel, Head of Cybersecurity, Cloud Computing & Digital Infrastructure Audit & Risk, Fidelity Investments

How the right kind of coverage can help security firms to make money

An exception to industry-focused coverage was WannaCry. Its cross-industry implications served as a blunt incentive to many CISOs to widen their focus and appraise the risk factors to their business. The majority of the CISOs expressed frustration at what they saw as sensationalism and wanted to see more factual content that informed the reader about the source of the attack, actual disruption to those affected, and what measures the target organizations and supporting agencies were undertaking.

"Look for an opportunity to learn about the coverage and evaluate if it could improve the knowledge of cyber security  in the company and respond internally as an educational exercise."

- Scott Goodhart, CISO Emeritus, The AES Corporation

Regardless of the writers’ intent, media coverage is consumed and interpreted by CEOs who increasingly want to understand the relevance of these attacks to their own business. Sensational headlines from general reporting may be great for grabbing attention but they can often waste a CISO’s time if the high-level soundbites aren’t informative or lead to actionable, helpful insights. Often, such reporting can raise more questions than it answers. CISOs need solutions, ideas, and knowledge. They are not going to contact an alternative or additional security vendor without appropriate cause to do so.

So, where do security firms need to target to gain more interest in their offerings? CISOs use open-source newsfeeds from respected experts (rather than more generalist media) for an informative reality check that adequately describes attacker tools and procedures. They are not totally dismissive of the general media reporting but would ask the technical journalists to raise a tangible awareness around cyber security rather than just making headlines.

Question #6

Do your peers in your organization understand how cyber security is a threat to their responsibilities?

There is still a cultural gap between the business of security and the business of the business, and this calls for difficult conversations and a lot of education. Some senior management believe that a cyber attack equates solely to phishing, and that if it is resolved by automated discovery or the suspicions of an employee, then all will be well.

"I do think they understand the threat to a certain level, but it’s a continuous learning exercise. They don’t always understand the possible impact(s) so it needs the CISO to explain this to them, an important education process. People need to take ownership in their areas."

- Scott Goodhart, CISO Emeritus, The AES Corporation

In general, CISOs believe (73%) there is greater awareness of the impact of cyber security across their organizations, although no CISO scored this at the highest level (9 or 10). One of the largest chasms to cross regarding the value of security to business success is between technological and line of business discussions – with the CISO on one side and their peers on the other. CISOs in larger enterprises are integrating themselves into non-security-focused business meetings, planning, customer acquisition, and regulation discussions as a way to incorporate the business tone of voice into their discussions to elevate security as a critical element of business growth.

While security teams like to bang the drum about possible attack vectors and incidents that they have successfully mitigated, responses from non-tech staff can lack the same enthusiasm. Worse, this latter group sometimes pretend to understand, or pay lip service without fully realizing the benefit of security success stories that positively affect their own responsibilities in the organization. As one respondent put it: “Some do understand. Some pretend they understand. Some don’t care.”

"We have a security awareness program to address the weakest link. We can build a strong system, but no control over the humans (weakest link). They should understand their share of responsibilities."

- Hitesh Patel, Head of Cybersecurity, Cloud Computing & Digital Infrastructure Audit & Risk, Fidelity Investments

The benefits of a security charter

The businesses with an ‘open culture’ are more likely to get buy-in from their peers about the relevance of security and its impact on their responsibilities. In many cases, they have implemented a security charter so that all functions in the business understand its relevance and importance to operational efficiency.

This has required many CISOs to build security awareness training to ensure everyone can appreciate the cause. It is never a single exercise but a continuous process with an objective to change cognitive actions and curtail the temptation of an employee to find a workaround if they feel security stipulations are restricting their workflows.

F-Secure Countercept perspective

The CISO and their security team can set security policy all day long - but it takes everyone in an organization to make it work, and none more so than the members of the board. One of the most under-rated yet valuable aspects of a CISO’s role is the job of getting the rest of the business to understand the role cyber security plays.

The success – or otherwise - of communicating this often hinges with the way CISOs communicate with their board of directors about risk. There are two other challenges, too, however.

Owning risk

Persuading – or obliging – everyone is a job that’s bigger than just the CISO and their team: it’s a board-level issue, and they ned to persuade everyone in the organization to be accountable for the security of their part.

The problem with this assertion is that it is utopian – but it is something to aspire to, regardless. It can be improved by identifying and testing how best to communicate the importance of good security to employees and leaders. It’s quite common for broader cyber security awareness to be limited to annual, compulsory training – and that needs to change. Delivering engaging, easily-understood training that nevertheless doesn’t undermine the importance of what is being conveyed is a challenge, but one that can be overcome. This is something security vendors already do – but something few customers ask for help with as part of the service they pay for.

Communicating risk

The other side to this issue is identifying and communicating risk. There have been plenty of attempts over the years to work out how to establish how cyber security risk should be defined, assessed, and mitigated effectively, but none have been particularly successful due to the way that we, as a species, evaluate risk1.

Yet all three of these things are important when working out whether a product, business or service will help solve a particular problem. Quite a of the tools and frameworks available for assessing what controls an organization has and should have (two examples are NIST Cyber Defense Matrix2 and MITRE ATT&CK3) are helpful – but they aren’t a silver bullet solution to assess the risk and organization faces.

This leads us to another challenge: Even if an organization can identify and quantify the risks it faces, it’s not a given it can accurately assess its own maturity when it comes to dealing with that risk; in part this is down to vendors overstating the efficacy of their product or service. Regular red team exercises against your security providers (and involving them in the debrief) can address this, as can a discussion of purple teaming4 and an overview of the results.

Buying risk offset

Understanding and communicating the risk and setting it against the context of maturity often leaves organizations with more than one hole in their defenses that they need to plug – and fast.

Going back to the board you’ve just educated with a big shopping list can be daunting, especially given how cyber security spending is often framed. Viewed as something akin to an insurance policy encourages buyers to think in terms of cost. That, however, omits cost avoidance or even the potential value add of effective cyber security. Partly this is due to the way that humans look at risk when it comes to looking at losses and gains – and our judgement is sometimes skewed by the language used to describe the probabilities of risk, loss and gain. In short5, investment in security is often framed as a definite loss – a cost – where the risk of not investing is ‘only’ a probable loss.

Managed threat hunting service with 24/7 coverage with F-Secure Countercept

Research methodology

The author of this research is Kevin Bailey (an independent cyber security analyst from Synergy Six Degrees on behalf of Omnisperience) and it is published by F-Secure. F-Secure funded the report while all interviewees contributed on a voluntary basis.

The qualitative interviews for this research have been conducted independently from the sponsors of the work. All editorial control has remained with the author.

Interviews

Twenty-eight interviews were undertaken between July and September 2020. A total of 23 interviews were conducted one-on-one and five interviewees provided their responses via the qualitative questionnaire, all on a confidential basis. At no time was the sponsor aware of the full interviewee list. All call-out and respondent listing attributions were sought by the author following completion of all interviews. This approach was adopted to encourage candid contributions. The setup and questioning approach has been designed to avoid bias, and where there has been risk of bias, this has been explicitly discussed in the interviews. Only three of the interviewees were existing F-Secure customers at the time of the research. Each interview lasted at least an hour, with most lasting around 90 minutes and many leading to follow-up conversations to discuss the conclusions of the research.

Cohort

The cohort of interviewees were approached based on their depth of expertise and were selected to build a balanced set of inputs.

The author had no commercial connection with the interviewees.

The participants were assured that the report was not intended to directly, imply or intimate that they endorsed or validated any sponsor products or services. The roles covered in the cohort include CISOs (or equivalent title), Head of Cyber Security, Director of Information Security and Head of Threat Intelligence.

Financial services is the most strongly represented cohort.

Research methodology

Twenty-eight qualitative interviews supported with targeted quantitative data points to achieve a grounded theory of the research objective.

Research period
July - September 2020

Geography
Europe - 14
US - 14

Industry
Finance
Energy
Commodity Trading
Services
Manufacturing
Engineering
Health
Education
Digital Platforms
Telecoms
Cyber Security
Accounting
Food

Titles
CISO - Chief Information Security Officer
CSO - Chief Security Officer
CIO - Chief Information Officer
Director of Security & Privacy
Director IM and Security
Director Information Security
IT Director
IT Security Manager

Chapter #1

An effective security leader

Our panels most pressing priorities over the last 18 months

Read now

Chapter #3

The cyber threat surface

What adversaries are up to – and what keeps CISOs awake at night

Read now

Chapter #4

Cyber triggers influence change

Evolving threats force change on companies and CISOs

Read now