.st0{fill:#FFFFFF;}

Podcast

CISO Security Maturity Report 2023 – Ep 433 

 November 17, 2023

By  Donna Grindle

Share0
Tweet0
Share0

Evaluating the security posture of organizations through the lens of culture, technology, risk, and people is crucial in today’s complex digital landscape. Culture sets the tone for an organization’s security mindset, influencing employee behavior and awareness. Today, we review ClubCISO’s Information Security Maturity Report 2023 that evaluates the security posture according to CISOs across the globe.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

CISO Security Maturity Report 2023 – Ep 433

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

Cyber Briefs

[03:37]

SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures

The SEC had a press release that they are Charging or have charged some folks over at SolarWinds and its CISO with fraud and internal control failures. The CISO is being charged independent of the company. To be clear, the charges are not the fact that Solarwinds had a cyber incident or anything. The charges are in relation to the fact that they lied, tried to cover up their lack of security controls in place and painted a false picture of Solarwinds’ cyber controls environment to public and investors.

[09:20]

AHA sues OCR over rule regulating the use of online tracking technologies | Healthcare Finance News

The American Hospital Association (AHA) is suing OCR over a Dec 2022 bulletin, titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” that prohibits hospitals from using standard third party web technologies that capture IP addresses on hospital websites. The AHA claims that these web technologies are crucial to information sharing between hospitals and health systems.

CISO Security Maturity Report 2023

[10:33] ClubCISO released their Information Security Maturity Report 2023 that evaluates the security posture according to CISOs across the globe. Most of the CISOs that took part in the survey were from organizations headquartered outside the US (73%). North American based CISOs made up only 16%. The CISOs were from various industries as well, but none were from the healthcare industry.

ClubCISO Security Maturity Report 2023 – Full Results – ClubCISO

Key Takeaways

  • Security culture making good progress despite human resource limitations. On the whole, CISOs believe that their security culture is improving but is still a work in progress, yet the average rating for overall security posture was lower than last year.
  • Our respondents unanimously stated that leadership endorsement is the most impactful factor in improving security culture, and alignment between top management and security teams has improved compared to the previous year.
  • While the majority of our respondents feel that security culture is being negatively impacted by too many priorities and a lack of resources, it is personnel concerns that outweigh purely financial constraints, as CISOs feel their main barrier to meeting their objectives is insufficient staffing. In an effort to fix this, over 95% of organizations are trying to retain talent and recruit new staff, with a particular focus hiring for diversity to strengthen teams and bring different perspectives into the business.

[26:19] It was interesting to see that 60% of the people polled said that a “Leadership endorsement of a security culture” was most effective in fostering a better security culture over the last 12 months. 41% said that having a proactive “report it” no blame policy was most effective and 38% said that conducting simulated phishing tests on its workforce was most effective.

Another interesting item on the list was having security champions in the organization was very effective to fostering that security culture. There are other things in the list that we also talk about often that are effective, including tailored training, table-top exercises, bitesize training and even training aimed at your colleagues’ families.

This next stat from the report is very interesting. Even CISOs are saying leadership endorsement is a major factor.

Negative Impacts

[31:27] We’ve talked about a few of the negative impacts already, including competing priorities, the security team is overstretched and under-resourced and a lack of resources for security awareness behavior. Check out the next two… “We have acquired other businesses and have different cultures to manage” and “The business has grown quickly, and security culture can’t keep pace.” If you’re growing through acquisitions and mergers, or even through internal organic growth, your security culture can become a big problem and can drag things down.

It’s interesting that external threats and criminality are way down the list, behind other internal and environmental concerns.

According to the report, 55% of CISOs say that their security budgets are the same as last year or have increased less than 25%. The problem here are CISOs are saying they already can’t do what needs to be done, but the fact is the threats are increasing. Security budgets can have an effect on that.

Hot Topics for the Coming Year

[36:42] We’ve talked before about how cyber resilience is what we should be worried about, not just cybersecurity. It’s how resilient we will be when we are hit by a cyber incident. In the survey, 58% say that strengthening your cyber resilience is a hot topic for next year. Second on the list is “Updating and aligning your security strategy to business strategy.” Let’s face it, cyber risk is a risk to your business strategy, if you ignore it.

Coming in at #3 is improving the organization’s security culture. That is a key piece and is encouraging that it made it in the top 3, coming in at 45%. We’re making progress, but it needs improvement. Look through the rest of the list. Most things rank at or above 30%. Talk about competing priorities.

[44:05] Then, CISOs were asked to rate themselves, on a 5 point scale, on the maturity of their processes to measure, manage and assure supply chain risk. “Defined” is where you want to be, so that’s great that 41% rate themselves there. Only 24% rate themselves above “Defined”, but 33% rate themselves lower. So that brings down the overall rating to 2.8. Not so hot.

When asked to rate their organization’s on their overall risk management program, 67% of CISOs rate their organizations as “Defined” or higher. Whereas 29% rate their organizations lower. That’s still a huge problem. But overall, the average rating is at a solid 3.0.

And then even though we’ve talked about how much the security posture has improved, it’s still at 3.1. In a lot of ways, this is indicative of the big picture when all of the folks say they haven’t done anything. Unless you’ve been working and are focused and working on security, that’s where you are. You’ve gotta start somewhere.

When asked what changes have you made in your operating model in response to changes in the way your organization adopts and governs technology, the top 2 responses are exciting and encouraging to see. Check them out below. It gets back to what we often talk about, you need a team that is worrying about this stuff. Everybody’s on the cybersecurity team, and everybody has a role. Figure out which one is yours.

And this last chart shows that 42% of CISOs believe that to some extent cyber insurance exacerbates the issue of ransomware, meaning the fact that criminals are aware that organizations have cyber insurance and can pay ransoms, is why they use ransomware more as their attack method.

For an organization’s business and security leaders, the CISO Information Security Maturity Report 2023 can assist in aligning security strategy to business objectives. This report serves as a wake-up call for organizations desiring a fortified cybersecurity posture and provides invaluable insights into upgrading your organization’s cybersecurity posture and resilience.

Go to top

Understanding the risk landscape is crucial to prioritize resources effectively. By conducting risk assessments, organizations can pinpoint potential threats and vulnerabilities, enabling the development of a targeted security strategy. The holistic evaluation of an organization’s security posture across the culture, technology, risk, and people dimensions helps create a robust defense against the ever-evolving landscape of cybersecurity threats.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: