Revealing The Need To Empower CISOs with Next-Generation Cyber Defense Planning Tools
EXECUTIVE SUMMARY
Why We Conducted This Survey
Since its founding, SAGE Cyber has been dedicated to building the premier Cybersecurity Defense Planning and Optimization (CDPO ) solution created by CISOs, for CISOs. We believe that no one knows better what is needed to improve the cybersecurity industry forward than the people who are tasked with doing the job every day. Fulfilling our commitment demands that we incorporate the voices of CISOs at every stage of our company’s journey.
As guardians of security, CISOs possess a profound understanding of the challenges and complexities inherent in cybersecurity defense planning.
As we forge ahead with our mission to create a cyber defense planning platform that addresses the needs and concerns of actual CISOs, it’s imperative that we understand their real-world experiences and perspectives. Therefore, we are committed to facilitating CISO discussions and gathering their insights. This will help us ensure the SAGE Platform remains aligned with industry needs and fulfills its promise of being the CISOs Co-Pilot.
The Survey’s Key Objectives
Our survey aimed to peer into the mind of modern CISOs and capture their thoughts, opinions, and frustrations regarding various aspects of cybersecurity defense planning. We sought input on topics ranging from organizational preparedness and budget allocations to the challenges faced in implementing effective defense strategies. We allowed the CISOs to remain anonymous, to ensure they felt comfortable sharing truthful answers to difficult questions. The survey was designed to provide a holistic understanding of the current state of cyber defense planning and to identify opportunities for innovation and improvement.
This survey covers five main areas of CISO interest:
- Overall Cyber Security Posture and Readiness
- The State Of Cyber Defense Planning
- Cyber Defense Budgets
- Cyber Defense Planning Methods and Tools
- The Adoption of AI as a Cyber Defense Planning Tool
- CISO Responsibilities
The survey’s primary goal is to gauge how well organizations are equipped to tackle significant cybersecurity planning challenges. Through insights gathered from CISOs, we aim to uncover key hurdles hindering effective cybersecurity defense planning. By examining factors like the percentage of organizations feeling fully prepared versus those expressing doubts, and what methods and tools are used most, we get a clear picture of the current state of Cybersecurity Defense Planning.
Understanding how cyber defense planning ranks among other cybersecurity priorities provided additional valuable context. Exploring the uptake of emerging technologies like artificial intelligence (AI) and machine learning (ML) sheds light on the gap between the current hype around AI and how well it is fulfilling its promise.
We shared the results of this survey with our team of cybersecurity experts to get their insights and suggestions. Ultimately, our aim is to furnish CISOs with actionable steps they can take to improve their cybersecurity planning and day-to-day workload.
2024 Survey Key Findings By The Numbers – The Current Reality of Cyber Defense Planning.
50 % – Percentage of CISOs expressing uncertainty regarding their readiness to confront major cybersecurity challenges
54 % – Percentage of organizations have increased their cybersecurity budgets for 2024.
83 % – Percentage of CISOs still use spreadsheets or pen & paper as their primary method of cybersecurity planning
95 % – Percentage of CISOs are not using AI or ML as part of their cyber defense planning.
57 % – Percentage of CISOs believe they would be held personally accountable in the event of a cyber attack or breach
[Call out]
The 2024 Survey Findings In Detail
Questions 1-2: Organizational Cybersecurity Preparedness
- Is Your Organization Fully Prepared to Confront a Major Cybersecurity Challenge?
Yes 42%
No/unsure 58%
- How Would You Rate Your Organization’s Overall Cybersecurity Defense Readiness?
High: 50%
Medium: 37%
Low: 13%
The responses to the first, and most fundamental questions in our survey reveals a concerning trend in organizational preparedness to confront major cybersecurity threats. It is evident that a significant portion of the surveyed organizations lack confidence in their ability to confront cyber threats effectively. While this lack of readiness might be a cause for alarm, it is encouraging to see that CISOs are cognizant of the need for increased preparedness. Many CISOs feel their organizations aren’t prepared, but at least they are aware and willing to acknowledge the need to do more.
On the other hand, the 42% of respondents who believe their organizations are fully prepared may be assuming that strict adherence to compliance standards is enough to keep their company’s safe from threats.
Our peers as Crowdstrike, in their 2024 Global Threat report said they, “observed a 60% year-over-year increase in the number of interactive intrusion campaigns, with a 73% increase in the second half compared to 2022.” This type of attack is harder to defend against than a standard malware or phishing attack because it involves human adversaries who can mimic legitimate behavior, evade detection for extended periods, and employ sophisticated techniques. Defending against interactive intrusions requires advanced detection capabilities and a deep understanding of normal system behavior to uncover subtle indicators of compromise hidden within vast volumes of legitimate traffic. Attacks of this type have been successfully carried out against organizations, even those with ironclad defenses.
Therefore, our experts believe it is possible that some CISOs may be overly optimistic about their organization’s level of preparedness.
SAGE Cyber Advice –
- Conduct regular and thorough cybersecurity risk assessments to identify vulnerabilities and gaps in your organization’s defense posture.
- Take proactive measures to address these findings and prioritize investments in advanced detection capabilities to effectively mitigate evolving cyber threats.
- Foster a culture of cybersecurity awareness and vigilance among all employees to enhance the organization’s overall resilience against cyber attacks.
Questions 3-5: Cyber Defense Planning
- Does Your Organization Currently Have a Comprehensive Written Cybersecurity Defense Plan in Place?
Yes 48%
Yes, but it is either outdated or insufficient 30%
No 22%
- What is the Biggest Challenge to Effective Cybersecurity Defense Planning in Your Organization?
Insufficient budget for planning 29%
Lack of proper tools or methodology 29%
Lack of focus, prioritization 42%
- How Often Does Your Organization Review and Update Your Cyber Security Defense Plan?
Monthly 13%
Quarterly 27%
Annually 40%
What Cyber Defense Plan? 20%
When taken together these three questions paint a nuanced picture of one of the main challenges organizations face in cybersecurity defense planning. While some organizations have comprehensive written plans, a significant portion struggle to keep their plans current. Furthermore, the additional challenges of insufficient budget (see also question 6) and lack of proper tools (see also question 10) can hinder the development and implementation of robust defense strategies, contributing to the difficulty in creating and maintaining effective plans.
Additionally, the lack of focus and prioritization highlighted by a substantial percentage of respondents further complicates the situation. Without clear direction and strategic alignment, organizations may struggle to allocate resources effectively.
[callout]
The answers in this section also imply that there is a disconnect between the priorities of CISOs and those of business leaders. The challenges acknowledged, including budget constraints and a lack of focus, suggest that business leaders may not fully grasp the criticality of robust cybersecurity. This can pose a significant challenge for CISOs, who must navigate competing priorities and convince stakeholders of the importance of investing time and resources in cybersecurity initiatives. It underscores the need for CISOs to effectively communicate the business value of cybersecurity and its implications for the organization’s overall resilience and reputation.
SAGE Cyber Advice-
- Don’t neglect your Cyber Defense Plan (CDP). Make sure you have adopted a CDPO that is adaptive and comprehensive.
- A CDP should accurately calculate your organization’s current risk profile and include actionable steps for mitigations.
- Find ways to streamline operational processes to leave enough time for long-term planning instead of reactive crisis management.
Questions 6-7: Budgets
- How Does Your 2024 Cybersecurity Budget Compare to 2023?
Higher 54%
Lower 15%
Unchanged 31%
- Do You Believe Your Organization Allocates Enough Budget for Cybersecurity Defense?
Yes 44%
No 56%
Budget constraints are significantly hampering many organizations’ ability to allocate sufficient resources for comprehensive defense, hindering their overall cybersecurity posture. While a slight majority of organizations have increased their cybersecurity budgets for 2024, most CISOs still believe they don’t have enough room in their budget to adequately address threats. This is putting many CISOs in the difficult position of not being able to implement their optimal cybersecurity plan, and having to make choices of which budget cuts will do the least damage to their level of risk.
This is an obvious challenge, and another indicator that business leaders may not fully grasp the importance of proper cybersecurity planning. According to IBM’s 2023 Cost Of A Data Report, the average cost of a breach in 2023 was $4.45 million dollars, a 15% increase over three years. Therefore, it is imperative for business leaders to recognize the potential financial ramifications of inadequate cybersecurity planning, as evidenced by the escalating costs associated with data breaches.
It’s important to remember that the size of the budget alone is not an indicator of the level of cybersecurity preparedness. A larger budget does not necessarily translate into improved outcomes. More money doesn’t necessarily lead to increased security. It’s about using the available data intelligently to help allocate resources strategically to address the most pressing cybersecurity challenges.
These budget-related survey questions reveal that organizations need more focus on effective resource allocation, strategic planning, and alignment with organizational goals to maximize the impact of their cybersecurity investments.
Sage Cyber Advice –
- When presenting cybersecurity budget proposals to the BoD, use clear, business-oriented language.
- Demonstrate how cybersecurity initiatives align with the organization’s business goals.
- Prioritize budget items according to their direct impact on security risk, and know beforehand what will be easiest to cut.
- Advocate for enough budget to allow for the adoption of proper tools and methodologies that will improve overall cybersecurity posture.
Questions 8-9: The role of Artificial Intelligence (AI) and Machine Learning (ML) in Cyber Defense Planning.
Question 8 – Do You Currently Use Artificial Intelligence (Ai) or Machine Learning (Ml) Technologies in Your Organization’s Cyber Defense?
Yes: 5%
No: 95%
Unsure: 0%
Question 9 – Do You Believe Ai Can Be Effective as a Tool for Cybersecurity Defense Planning ? Yes 45%
No 26%
Not Sure/Maybe 29%
The survey results regarding artificial intelligence (AI) and machine learning (ML) technologies in cyber defense highlight a stark contrast between perception of its potential usefulness, and on-the-ground implementation.
Only 5% of the CISOs surveyed are currently using AI or ML technologies. However, many more believe in theory that AI can be an effective part of cybersecurity planning. This gap suggests that the marketplace needs better solutions that harness the power of AI in a way that is specifically tailored to cybersecurity planning, without introducing additional layers of risk.
The significant portion of respondents who either believe AI would not be an effective defense planning tool, or aren’t sure, reveals an understandable skepticism.
CISOs may be skeptical about the usefulness of AI for several reasons. Firstly, CISOs may have encountered challenges with previous new technologies that fell short of the surrounding hype. Now, CISOs may be hesitant to adopt new technologies without clear evidence of their effectiveness. Secondly, there may be organizational barriers such as perceived budget constraints or resistance from other stakeholders that hinder the adoption of AI technologies. Business leaders may be reluctant to squander valuable resources on a potentially ineffective solution. Overall, CISOs may be taking a wait-and-see attitude and choosing to approach integration of AI into their cybersecurity planning with extreme caution until they are fully confident in its ability. Additionally, with so many new AI solutions flooding the marketplace with their over-the-top promises, it is likely that CISOs want to stand back and see if a particular solution emerges as the clear favorite.
SAGE Cyber Advice –
- Now is the time to actively begin evaluating the AI solutions available for cyber defense.
- Conduct several proof-of-concept trials to assess the practical benefits and effectiveness of AI solutions in real-world scenarios.
- Collaborate with business leaders and communicate the potential value of AI in enhancing cybersecurity defenses and maximizing budget.
- Make sure to verify that the AI solution you choose is cyber secure and doesn’t introduce new risks.
Question 10: Tools
- What is the Primary Method (or Tools) Your Organization Uses to Create a Cybersecurity Defense Plan?
Spreadsheets – 62%
Paper and Pen – 21%
Project planning software – 11%
Custom Cyber Planning Software – 6%
The predominance of spreadsheets as the primary method for creating cybersecurity defense plans suggests a reliance on manual and static approaches. Spreadsheets are essential tools for data organization and analysis. However, they lack the sophistication and adaptability required for dynamic cybersecurity defense planning.
Other industries that used to rely on spreadsheets for planning have already moved on to specialized tools. The standard tool for CRM used to be a spreadsheet, until Salesforce was introduced. The same for project management and Monday.com. Now it’s time for CISOs to have a specialized tool as well.
It’s likely that CISOs are using spreadsheets because it’s a familiar tool they know, not a deliberate choice based on effectiveness or efficiency.
Similarly, the utilization of paper and pen suggests an even more outdated approach to cybersecurity defense planning. While manual methods may suffice for certain aspects of planning, they are inherently limited in scalability, collaboration, and adaptability to dynamic threat landscapes. Organizations relying on paper-based methods may face challenges in maintaining documentation, facilitating collaboration among stakeholders, and incorporating real-time threat intelligence into their defense strategies.
The small percentage of CISOs using software specifically designed for cyber defense planning indicates that there is some growing awareness and desire for dedicated tools. The limited adoption of such tools may indicate that CISOs are missing an opportunity. It is likely that there is an awareness problem. Similar to AI solutions, CISOs may not know that better tools exist, or they may not have taken time to investigate their usefulness.
SAGE Cyber Advice: –
- Embrace the emergence of Cyber Defense Planning and Optimization (CDPO) tools, a new product category recently recognized by Gartner, to create your organization’s Cyber Defense Plan.
- Take time to learn more about these dedicated solutions. They will help overcome the limitations of spreadsheets and other methods, and improve the effectiveness of your cybersecurity defense planning processes.
Question 11-12: The Role of CISO
- Whom Do You Believe Would Be Held Accountable in Your Organization for a Major Cyber Security Breach?
The CISO 57%
The CEO/ Board of Directors 21%
The IT Department 14%
An External Vendor or Consultant 8%
- In the Event of a Cybersecurity Incident, Whose Interests Should a Ciso Prioritize First?
Shareholders and employees 17%
Customers/Clients 78%
Their Own 6%
With a significant majority of respondents identifying the CISO as the individual who would be held accountable for breaches, it is evident that CISOs know they are in the firing line. This result was not surprising given the major recent news stories about CISOs being held legally responsible for the actions they took after a data breach or security incident.
Furthermore, the survey results indicate a clear expectation among respondents regarding the priorities of CISOs in the event of a cybersecurity incident. The majority of respondents said that the interests of customers/clients should be prioritized first, followed by shareholders and employees. This aligns with the current legal reality. The modern CISO is not only tasked with safeguarding organizational assets and data but also with protecting the interests and trust of clients, customers or the public. This underscores the need for CISOs to have the necessary tools, resources, and support to effectively balance the demands of cybersecurity risk management with the expectations of stakeholders and regulatory authorities.
SAGE Cyber Advice:
- Proactively establish clear lines of organizational accountability and advocate for the resources needed to effectively fulfill the role of CISO This includes prioritizing proactive risk mitigation strategies and ensuring alignment with legal and regulatory requirements.
- Stakeholders must recognize the legal and reputational risks faced by CISOs and provide them with the necessary support and tools they need.
- A detailed audit trail that can offer proof of actions taken and the reasoning behind them, is mandatory.
- By prioritizing proactive risk management and advocating for the resources and support needed, CISOs can effectively safeguard organizational assets and protect the interests and trust of clients, customers, and the public.
Link to CDPO 2 pager
The percentages should each be large, and eye catching. This is the main point we want users to skim.
This section is a call out
This section is the meat of the report. There are six sections. The questions and responses should be highlighted and easy to skim.
There are several sections called sage cyber advice. They should be highlighted with a different background color, and have an icon in front of SAGE
Link link link to CDPO two pager.