Chief information security officers—about 66% of them—are "walking a tightrope" between what the business wants and what makes sense from a security perspective due to the shift in the cyber threat landscape, a study showed.
Around 92% of the CISOs have changed the way they evaluate their business' risk appetite, creating tensions with their CEO and other members of the C-suite, according to a research from Netskope, a secure access service edge company.
The research surveyed more than 1,000 CISOs globally to explore the evolution of their role as a member of the executive team. Contradicting legacy stereotypes of the CISO as inherently risk-averse, only 16% of today’s CISOs classified their current risk appetite as low. CISOs see their CEOs as much more risk-averse than themselves, with twice as many respondents (32%) perceiving their CEO as having a low risk appetite, the report showed.
Findings from the research include:
Over half (57%) of CISOs said their appetite for risk has increased in the last five years, with 49% reporting a good risk appetite. Furthermore, 74% stated that a first-hand experience of a cyber security incident was important in impacting their risk comfort levels.
Better access to data and analytics (76%) was the top reason given for their shift in risk appetite.
Around 65% now described their responsibility in terms of improving business resilience, rather than managing cyber risk.
However, 23% strongly agreed that other members of the C-suite currently fail to see that the CISO role makes innovation possible.
Two thirds (65%) of CISOs believe the role is changing rapidly, and they reported becoming more proactive and progressive:
Just 36% of CISOs saw themselves playing a “protector” role primarily focused on defending the organisation.
In contrast, 59% considered themselves to be business enablers, with 67% stating that they want to play an even more active role in the future.
Around 66% wished they could say “yes” to the business more often.
“The best way to make CISOs more proactive partners across the C-suite is to gain deep understanding of the business challenges C-suite colleagues are focused on solving and align those to security strategies, rather than attempt to assert security strategy—or individual technology choices—on what is perceived to be C-suite risk appetite,” said James Robinson, Netskope CISO.
“Too often this alignment doesn’t occur among enterprise teams. But CISOs who are able to define the ways in which they are helping their C-suite peers to acquire new revenues, drive efficiencies and navigate regulatory requirements will be recognised as valuable contributors at the highest levels,” Robinson said.