A new survey of senior security leader attitudes and practices concentrates on ‘anticipating the unknowns’. It’s a clever choice of words. ‘Anticipating’ implies getting ahead of and being prepared for the unknowns — which is different and more accurate than the more usual use of the word as simply ‘expecting’ the unknowns. This is the task of the security leader: to be prepared for the unknown rather than to wait for and respond to the unknown.
Cisco’s 2019 Chief Information Security Officer (CISO) Benchmark Study has one great strength. It queried more than 3,200 senior leaders with a CISO role (if not title) from 18 different countries. This greater than average quantity of respondents gives it a greater than average legitimacy.
The results are a mixed bag, giving slightly improving responses over a similar survey last year in some areas, and slightly deteriorating in others. For example, moving security to the cloud allows greater staff efficiency (up from 92% to 93%); and provides more effective security than on-prem solutions (up from 91% to 93%).
Deteriorating viewpoints are most visible in the questions on machine learning (ML), artificial intelligence (AI), and automation. All three questions ask for a statement on the CISOs’ reliance on the technology. This shows the weakness inherent in all surveys: different respondents will interpret different question in slightly divergent ways, and provide slightly unaligned answers. This is always worse if the question includes any form of value judgement — and ‘reliance’ is a value judgement.
Each of these questions shows a decline in reliance over the last year — and in terms of this survey, quite dramatic declines. Reliance on ML is down from 77% to 67%; on AI from 74% to 66%; and automation from 83% to 75%. These three subjects are the holy cow of contemporary cybersecurity — dozens of start-up vendors focus on machine learning solutions, while nearly all existing vendors have developed or are developing ML-based solutions.
The report (PDF) states, “ML, AI and more automation should be able to boost security efforts exponentially – and next year we need to see more respondents in the ‘completely reliant’ phase of implementation and practice.” The implication is that any decline in their use must be a blip. In fact, CISCO further states, “It could be that adoption is so widespread and integrated into your business processes that you donít feel it worth calling out;” and “Itís possible that you chose not to be ‘reliant,’ yet selectively automate.”
It could equally be, however, that the bubble of ML expectation has burst, and that in practice CISOs really are less reliant on these technologies because they are not delivering as expected. This is the problem with all surveys that include questions that are in any way value judgments — interpretation itself becomes a value judgment that can possibly be swayed by bias.
That aside, the survey highlights some delicious details that could indicate areas for more detailed research and analysis. For example, the separation of security from IT seems to have slowed — down from 38% to 35%. Despite this, the ability of the CISO to work and collaborate with IT seems to be improving. Ninety-five percent of the respondents judge themselves to be very or extremely collaborative between networking and security teams.
Where this gets particularly interesting is in an apparent correlation between good collaboration and lower costs in breaches. “It turns out,” states the report, “that 59% of those who were very/extremely collaborative between networking and security experienced a financial impact of their most impactful breach of under $100K — the lowest category of breach cost.”
In short, better collaboration between security and IT — probably in the form of DevSecOps — will likely lead to fewer and less expensive breaches. “This clearly merits further analysis and possibly points to greater need and possible development of more DevSecOps teams. The collaboration becomes not a matter of coincidence, but a must, especially in the age of Agile development.”
Related: CISOs and the Quest for Cybersecurity Metrics Fit for Business
Related: Cyber Risk = Business Risk. Time for the Business-Aligned CISO
Related: Communication is Broken Between CISOs and the Rest of the Business
