Strengthening Governance and Leadership in Cybersecurity Transformations

November 4, 2024

This is the second blog post in our cyber governance blog series. Please see our first blog post on building resilience and cybersecurity capability maturity here.

Global organizations are faced with emerging threats as they expand their technology stacks, in addition to vulnerabilities that have been around for several years. To help mitigate both established and new risks, organizations need bold cybersecurity leadership with an increased emphasis on proactive risk management and resilience-focused business practices. Leaders are focusing on integrating cybersecurity into overall business strategies to ensure the continuous protection of organizations’ critical data and network infrastructure.

To effectively execute such a strategy and proactively reduce organizational risk, cybersecurity governance models are crucial. There is a pressing need for formal and structured governance programs that educate employees about the necessity of cybersecurity mitigation strategies to minimize risks and enhance resilience against potential adversaries.

Cybersecurity Leadership across Industries

Our Strategy and Risk Management team conducted maturity assessments of 350 organizations between January 2023 and July 2024. Our assessment findings indicate that organizations across industries have their cybersecurity functions reporting to a senior leadership role such as Chief Information Officer (CIO) or Chief Information Security Officer (CISO). While most organizations in the consumer and industrial sectors are headed by the CIO or others, over 50% of enterprises in the energy and utilities, financials, healthcare and technology and communications sectors have a dedicated CISO as their security leader. Moreover, according to the 2024 Cybersecurity Threat and Risk Management Report produced by the Ponemon Institute and sponsored by Optiv, nearly half of respondents across industries reported that the CIO (21%), CTO (21%) or CISO (7%) had overall accountability for directing the organization’s efforts to ensure a strong cybersecurity posture.

Image

Figure 1: A breakdown of industries with cybersecurity functions reporting to a CIO, CISO or other leaders according to Optiv Strategy and Risk Management team assessments

Based on our research from both studies, we anticipate that as organizations strengthen their cybersecurity programs, the CIO, CTO and CISO leadership roles will become more valuable to ensuring the continued growth and success of security measures. Examining the chart above featuring our client assessment data, what stands out is that industries that often are the most targeted by cyber adversaries (including healthcare and energy and utilities) are mostly reporting to a CISO leader. We expect that the CISO role will continue to grow in importance and responsibility when it comes to cybersecurity investments and program management.

Breaking Down Cybersecurity Investments

Industries globally are expanding their information technology (IT), operational technology (OT) capabilities and cybersecurity tools and technology, which simultaneously expands organizations’ attack surfaces. Having effective cybersecurity insurance coverage proved to be essential for organizations to move towards greater financial protection and cyber resilience to support overall risk management. According to the 2024 Cybersecurity Threat and Risk Management Report, 46% of respondents say that purchasing cyber insurance is one of the most important cyber governance activities. But 52% of respondents say it is highly difficult to purchase cybersecurity insurance because of the insurer's requirements. Only 29% of respondents say they currently have cyber insurance, but 48% plan to purchase it in the next 6 months.

Despite continued investments, 61% of respondents in the 2024 Cybersecurity Threat and Risk Management Report indicated that the number of cybersecurity incidents they experienced had increased (32%) or significantly increased (29%) in the past 12 months. A good, measured investment in cybersecurity is a critical element for any effective security program, demonstrating organizations’ commitment to safeguard its assets, employees and customers. We observed in the report that 59% of respondents across industries reported an increase in the allocation of their IT budget to cybersecurity investments in 2024. Moreover, 46% of respondents allocated over $20 million of their IT budget to cybersecurity investments. This demonstrates that organizations across industries are continuing efforts to stay ahead of sophisticated cyber threats.

Despite noticeable growth in cybersecurity leadership and security investments, a persistent shortage of cybersecurity talent remains prevalent across industries. Organizations are continuing to struggle with hiring and retaining the right talent for IT and security roles. The 2024 Cybersecurity Threat and Risk Management Report highlights that 42% of respondents indicated a headcount of over 30 IT staff within the organization’s IT security function. However, 25% of respondents reported less than 20 IT staff responsible for security efforts and nearly half (49%) indicated their organization planned to hire more skilled security staff in 2024. Even where reported headcounts are growing in larger organizations, we recognize that these figures can fluctuate as IT and security talent retention concerns persist worldwide. Focusing on Optiv client assessments, our Strategy and Risk Management team’s 2023 reporting data reveals that across industries, IT professionals accounted for just 7% of the total workforce, with around 25% of them specializing in security.

The shortage of qualified professionals is primarily due to the rapid evolution of the cybersecurity industry and cyber threats. The number of existing professionals, cybersecurity students, and new graduates is not keeping up with the growth and demand pace causing the challenge for the organizations to meet the cyber resiliency and talent.

As per the graph shown below, industries such as energy and utilities, financials and technology and communications prioritized a balanced mix of cybersecurity professionals relative to their overall headcount. However, traditional sectors like government and public services, as well as industrials, continue to struggle to meet their security staffing targets.

Image

Figure 2: Average IT and security team headcounts across industries according to Optiv Strategy and Risk Management team assessments

What’s Next: The Future of Cyber Leadership and Governance

Looking to the future, the role of the Chief Information Security Officer (CISO) will continue to evolve. Optiv predicts that as security becomes more challenging to fully manage in-house, organizations will continue looking to managed services, including managed detection and response (MDR) and even virtual CISOs (vCISOs), for third-party support to more cost-effectively cover internal gaps.

As the cybersecurity talent gap persists, we predict that organizations will invest heavily in cross-skilling and upskilling teams by creating robust training and certification programs to combat unknown security threats and safeguard organizations’ data and systems. Extending and having expertise on application security, cloud security, artificial intelligence and the Internet of Things (IoT) demands a holistic approach to security, where professionals can adapt their skills to address vulnerabilities across diverse platforms.

With the rise of cyber threats and challenges, tailored insurance policies will continue to be an integral part of any business to help address the specific needs and vulnerabilities of policy holders through predictive modeling techniques to better forecast the likelihood and potential severity of future incidents. For more details on the prioritized governance cyber leadership practices, please read Optiv’s 2024 Cybersecurity Threat and Risk Management Report.