Gemserv has published the findings of its latest CISO report, ‘The Future CISO’. The report has been compiled after its second annual survey of chief information security officers (CISOs) at 200 large UK & EU enterprises, across sectors including financial services, energy, retail, IT and manufacturing.
Most leadership boards expect the cybersecurity landscape to become more complex, believing that the risk of attacks on UK businesses is increasing. However, most CISOs believe boards are overconfident about their understanding of the issues and are failing to provide the support needed to protect the organisation, its reputation, and its customers from data breaches and cyber attacks.
Gemserv’s director of cyber and digital, Mandeep Thandi, said: “Given the significant impact a cyber breach can have on organisations, including potential damage to reputation and share price, it’s encouraging to see CISOs have elevated cybersecurity to a board-level concern rather than it remaining an IT department issue. Confidence among CISOs in their ability to manage these threats remains low. They anticipate an increase in both the volume and sophistication of cyber attacks. At the same time, IT leaders face mounting pressure to rapidly implement transformational technologies such as cloud computing and GAI, which can heighten an organisation’s attack surface and therefore vulnerability to cyber threats.”
Key findings:
- 72% of organisations are actively incorporating AI into customer-facing products and services, but 37% of CISOs say they are not confident the business fully understands the risks.
- 48% of CISOs describe the board’s general understanding of risks as ‘excellent’, a significant increase from 2023 (37%) but 62% believe that staff lack the required knowledge and training to avoid a breach.
- 79% of large enterprises invest in specialist cyber threat intelligence for CISOs, but the remainder rely solely on the press, social media, vendor marketing and regulators for information, which is not real-time and can be less reliable.
- 88% of CISOs think the threat landscape is becoming more complex, with 37% not confident they have the resources they need. 44% struggle to recruit and retain the skilled people they need, amid a 3.2m ‘workforce gap’ for IT talent.
On the positive side, compared to last year’s findings, there has been a rapid and marked improvement in board-level awareness, driven by:
- new legislation such as GDPR and the introduction of pan-European standards such as the NIS Directive,
- more CISOs moving upstream to take seats on boards, increasing awareness of the wider reputational and business impacts beyond IT disruption,
- increasing media coverage and awareness of the damage that can be caused by high-profile cyber attacks, such as those on British Airways, Marriott, SolarWinds, CrowdStrike and many more,
- the rollout of more frequent, higher-quality training and the growth of better data security culture within large organisations,
- increasing dependence on potentially vulnerable but business-critical technologies that power cloud computing, remote working, and applied AI.
Thandi added: “While huge strides have been made by UK businesses to enhance their cyber defences and protect themselves against breaches, these findings show that the majority of UK enterprises remain largely unprepared for the year ahead and should review their cybersecurity strategies as a matter of urgency.”
The report recommends a five-point checklist for boards and CISOs to audit their preparedness for attacks:
- Create a business case for cybersecurity investment based on the direct and indirect costs of a successful attack (ransom fees, damage to share price, reputational damage, cost of downtime, cost of repair).
- Routinely review business continuity and attack response plans at board level, whilst making continual investment in building a security-conscious culture throughout the organisation, backed up by habit-forming training and a zero-trust approach to all new technology.
- Provide CISOs with an emergency budget to access in the event of an attack, as well as flexibility to review investments and change course during the year as the threat landscape changes.
- Involve CISOs in all technology procurement processes, ensuring vendors are only selected if they meet specific security thresholds and that any third-party technology is continually monitored to ensure it maintains the standards.
- Immediately consider investment in three core areas, if not already: GAI defence technology to mitigate GAI attacks; managed service security providers (MSSPs) to outsource and mitigate for skills gaps; and specialist cyber threat intelligence software to predict and prevent the majority of attacks.
PCR Tech and IT retail, distribution and vendor news