In a year that tested our resolve, the RH-ISAC community was resilient. The COVID-19 pandemic altered business-as-usual operations, changing the ways consumers shop and travel, and how employees work. Many of our members were forced to reduce staff and contractors, financially de-prioritize large capital and long-term projects, and delay initiatives that would have contributed to the maturity of their information security programs.
It is no surprise, then, that 45% of the challenges that chief information security officers (CISOs) cited in our 2020 CISO Benchmark Report were organizational. Business priorities changed and increased the demand for internal services while the threat landscape – particularly related to eCommerce – accelerated and evolved. With limited funding, resources, and staffing, our members achieved more with less.
According to the data, up to 50% of information security budgets are being spent on the tools needed to fortify defenses, automate processes, or transition to the cloud. Between 31-40% of the budget is invested in the personnel responsible for operating those technologies while less than 30% is dedicated to third-party services that extend capabilities that cannot be achieved in-house. Considering this context, CISOs from the RH-ISAC community are focusing their 2021 efforts in three key areas:
- Security Architecture: Identity and access management emerged as a fundamental component to any information security program. It is the top priority that FTEs are dedicated to, especially for those working with a small budget. CISOs are also looking to automate security tools and integrations to improve visibility and monitoring across the network, which will strengthen cloud security practices and free up personnel to support large-scale business transformation projects.
- Security Operations: Security Operations Center (SOC) operations, including tools, continues to develop as either a standalone or outsourced capability. Specifically, there is a focus to enhance data protection measures and become more efficient with vulnerability management. In the spirit of doing more with less, many CISOs are working to increase detection and response capabilities while consolidating third-party security solutions. Some CISOs are starting to think beyond incident response policies and playbooks, working to design and develop business continuity and disaster recovery processes.
- Risk Management: As teams mature, more resources are dedicated to understanding new governance and compliance regulations. Many CISOs are looking to leverage risk assessments and frameworks to identify high-risk areas and align controls to standards that guide program maturity. Interestingly, insider threat also emerged as a priority CISOs wanted to address this year.
In addition to these “blocking and tackling” priorities, information security teams also have an opportunity to instill a security-minded culture within their organizations. Whether it is educating executives, turning senior leaders into cybersecurity champions, or providing security awareness training to employees, CISOs can build relationships that help solidify the value of information security, which can influence all aspects of the business, including product development.
Last year showed us how we respond to change. Leaders were called upon to lead – to make the best decision among difficult decisions – and maintain security when certainty was low, and stakes were high. As we make our way in 2021, the beauty will be discovering how we can create our own change in meaningful and lasting ways and turn our past response into future-readiness.
The RH-ISAC is in a unique position to provide industry-specific benchmarking on organizational structure, information security practices and processes, and compliance issues. RH-ISAC benchmarking allows members to finally answer C-suite and board-level requests on “How do we compare with our peers.”
The RH-ISAC completed its second annual CISO Benchmark on organizational data in December 2020. The report, published in February 2021, focuses on three key areas: company demographics, CISO responsibilities, and information security operations, including the collective challenges CISOs face as decision-makers; namely, how to prioritize and allocate budget, staffing, and resources. To learn more about the report or to become a member, contact firstname.lastname@example.org.