1、Emerging trends,threats and strategies for todays security leadersThe CISO Report02The CISO Report|SplunkExecutive summarySplunk sits at the heart of Security Operations for many of the worlds largest and most complex organizations.We spend our days helping CISOs and their teams get ahead of emergin

2、g threats,respond quickly when incidents inevitably occur,and succeed as business enablers.But we also wondered,what do global security leaders really think about AI?Is our hypothesis true that CISOs are becoming central members of the C-suite?Do boards and CISOs speak the same language?In The CISO

3、Report,we share the results of our original research and offer insights on how leaders can evolve along with the cybersecurity landscape.Here are some of the most significant takeaways.1.Love it or hate it AI is here to staySeventy percent of CISOs believe AI gives the advantage to attackers over de

4、fenders,yet 35%are already experimenting with it for cyber defense,e.g.,malware analysis,workflow automation and risk scoring.But augmentation doesnt start with AI:Ninety-three percent of CISOs have extensively or moderately implemented automation into their processes,and AI will only increase that

5、percentage in the future.2.CISOs often speak a different language than their boardWhile CISOs and their boards priorities are moving closer together,there is still misalignment.Eighty-four percent of CISOs maintain that their board or governing body cares more about regulatory compliance than securi

6、ty best practices.Thirty-one percent say that projects have been delayed due to lack of funding while 30%say that the security team was unable to support a business initiative.3.CISOs are now the C-suiteForty-seven percent of CISOs now report directly to their CEO.Boards are becoming more active sec

7、urity stakeholders.CISOs are being asked to justify their investments,but this isnt a bad thing.It indicates their leaders are listening and overwhelmingly allocating more budgets for the year ahead(even if its still not enough).4.Most pay ransomware demandsNinety percent of CISOs report that their

8、organization experienced at least one disruptive attack last year.Even more shockingly,83%paid attackers in the wake of a ransomware attack directly,via cyber insurance or with a negotiator with more than half paying at least$100,000.03The CISO Report|Splunk5.Boards prioritize security fundingNinety

9、-three percent of CISOs expect an increase in their cybersecurity budget over the next year,yet 83%see cuts in other parts of their organization.Economic challenges are impacting security,but not in the way you might expect:Eighty percent say they have noticed their organization has faced a growing

10、number of threats coinciding with the declining economy.Ryan KovarDistinguished Security Strategist and leader of SURGeRyan is a distinguished security strategist and leader of SURGe,Splunks security research arm.With over 20 years of experience as a security analyst,threat hunter,defender and Unix

11、plumber,Ryan loves traveling the world and researching the biggest problems for Splunks customers.Prior to Splunk,he worked at DARPA,US Navy,the UK Home Office and other organizations as a security practitioner and leader.Ryan has an MSc in Cyber Security from the University of Westminster.Kirsty Pa

12、ineField CTO and Strategic Advisor,Technology and Innovation(EMEA)Kirsty Paine(she/her)is a strategic advisor to Spunk customers.As an experienced technologist,strategist and security specialist,she thrives on understanding difficult problems and finding creative solutions.Kirstys background in cybe

13、r security stems from her mathematical roots,built over years working at the UK National Cyber Security Centre,specializing in security,privacy and internet technologies.6.There is no resilience without collaborationLevels of cybersecurity collaboration are highest with IT operations likely because

14、those integrations are more established with 36%maintaining that collaboration was good,and another 40%saying it was good,but improvement was desired.CISOs also hail collaborations with software engineering/application development(42%),the cloud team(40%)and enterprise architecture(27%)as vital to e

15、nsure resilience throughout the organization.About the authors 04The CISO Report|Splunk04 Todays CISO:On the front lines of change 06 Generative AI elicits genuine insights Generative AI fills critical gaps in cyber defense10 CISOs and the board get priorities straight CISOs expand board presence,ow

16、n their influence Driving a culture change CISOs embrace yet question evolving role15 CISOs submit to ransomware Ransomware:Attackers get a payday19 Security investment on the rise21 Collaboration is key to building resilience Collaboration opens doors,breaks down walls Building resilience into the

17、future25 A new era of resilience26 Appendix32 MethodologyTodays CISO:On the front lines of change The role of todays Chief Information Security Officers(CISOs)is complex and rapidly changing.Eighty-six percent say that the role has changed so much since they became a CISO that its almost a different

18、 job.They are emerging as strategists and leaders who have a louder voice in the boardroom.And a growing number of them now 47%report directly to their CEO.Of course,their most critical priorities still revolve around defending the organization against an increasingly complex threat landscape.Ninety

19、 percent of CISOs have faced a disruptive attack in the last year.And while theyre adapting to stay ahead of cyber attackers,they arent getting much sleep at night.TODAyS CISO:ON THE FRONT LINES OF CHANgE05The CISO Report|SplunkThe CISO story,then,is about the constant struggle they face enabling th

20、e business to go fast while walking a daily tightrope between oft-competing priorities the boards allegiance to business success metrics and the practical realities of securing the organization.For many of them,this means constantly justifying their teams value to the C-suite and the board,while als

21、o filling security gaps caused by staffing shortfalls and finding new ways to mitigate organizational risk.The balancing act isnt easy.The research illustrates a complete picture of the CISO:the issues,challenges and opportunities they face on a daily basis.yet despite an increasingly sophisticated

22、threat landscape and an uncertain economic outlook,many are optimistic.More than ever before,they have an opportunity to become champions who can effectively change the security culture of their organization.Boards and CEOs are not only listening,but relying on them for guidance.And as CISOs look ah

23、ead,their focus will be on collaborating with teams across their organization,working together to become more resilient so they can not only weather any storm,but thrive in its aftermath.Generative AI elicits genuine insights“We are trying to stay ahead of generative AI.”CISO,government organization

24、The CISO Report|Splunk 07gENERATIVE AI ELICITS gENUINE INSIgHTSWe found that the overwhelming majority of CISOs(70%)believe that generative AI will create an asymmetrical battlefield that will inevitably be tipped in favor of cyber adversaries.We are more optimistic than that,though.We know 35%of CI

25、SOs are already using AI for positive security applications,and 61%will likely use it in the next 12 months.Predictably,CISOs thought the highest ranking malicious use cases would be faster and more efficient attacks(36%),voice and image impersonations for social engineering(36%)and extending the at

26、tack surface of the supply chain(31%).Many of these concerns are still theoretical,driven by media reports or as part of researchers proof-of-concepts.At the time of writing this report,we havent seen generative AI used extensively in real-world attacks or with any more success than human-written ph

27、ishing scams.“We are trying to stay ahead of generative AI.We know it is a technology that is being used.Instead of blocking the technology,we are trying to put as many guardrails around it as possible.”CISO,government organizationThe CISO Report|Splunk 08gENERATIVE AI ELICITS gENUINE INSIgHTSGenera

28、tive AI fills critical gaps in cyber defenseWill AI replace jobs?Not entirely.Eighty-six percent of CISOs believe that generative AI will alleviate skills gaps and talent shortages that they have on the security team.That means instead of replacing jobs,generative AI will more likely be used to fill

29、 in labor-intensive and time-consuming security functions that security professionals are reluctant to do anyway(writing policy documents,perhaps?),freeing them up to be more strategic.The reality is that there arent enough cybersecurity professionals to meet demands.AI might give organizations the

30、ability to supplement staff with everything from documentation to basic ticket triage.So when it comes to fears that AI might“steal your job,”try thinking of it in the same way as automation augmenting,rather than replacing,talent.And when it comes to automation,93%of CISOs say they have extensively

31、 or moderately implemented automation into their processes,giving them a lot of room for innovative use cases in the future.“We learn in cyber after the fact,with AI and GAI we can be more proactive,and it may help us with skills shortages.”CISO,higher education“I dont know that anybody working in t

32、he cybersecurity space has got it easy right now regarding recruiting and retention,”says the CISO of a government organization.So when it comes to how AI can be used for cyber defense,CISOs have lots of ideas.AI is yet another tool that can address challenges ranging from strategic to deeply techni

33、cal.Its not surprising that CISOs are queuing up mundane technical tasks for AI.But we were also excited to see AI opportunities span into strategic functions:challenges around data quality assurance,enriching and prioritizing alerts,and managing security posture analysis and internal communications

34、.While security problems might not be new,AI offers the potential for new solutions.AI also provides opportunities to elevate staffs skill sets and education.Forty-six percent plan on getting security teams up to speed on effective prompt engineering.Other policy efforts include training employees t

35、o better understand the threats posed by generative AI(39%)and establishing protocols to determine the types of tasks appropriate for AI bots(37%)as opposed to those that should be done exclusively by humans.The CISO Report|Splunk 09gENERATIVE AI ELICITS gENUINE INSIgHTSHow Companies Are Using Gener

36、ative AI for Cybersecurity35%Security hygiene and posture management analysis and prioritization27%Data enrichment of alerts and incidents26%Internal communications26%Analyzing data sources to determine which ones should be optimized or eliminated25%Malware analysis23%Creating detection rules23%Crea

37、ting secure configuration standards22%Workflow automation22%Threat hunting20%Risk scoring20%Policy creation19%Incident response and forensic investigationCISOs and the board get priorities straight“The board has gotten fairly serious about looking at risk,and cyber is a form of risk.”CISO,transporta

38、tion,tourism and shippingThe CISO Report|Splunk11CISOS AND THE BOARD gET PRIORITIES STRAIgHTHow do CISOs know if theyre doing a good job?We asked them for their success metrics what they prioritize and what they think their board cares about the most.There is sometimes a wide variance in those two a

39、nswers,resulting in misalignment and frustration when executed in the field.“you can buy all the technology in the world,but if the users are not well trained then things can go bad,”says one technology CISO in an organization of more than 11,000 employees.CISOs also point out more fundamental diffe

40、rences in values and understanding.“Some of the board understands the importance of security,”adds the CISO of an outsourcing company.“Some do not.”When they speak about quantifying risk,business value and return on investment,however,CISOs are slowly getting the ear of the board/C-suite:26%say that

41、 they share results of security testing,indicating to boards the best places for intervention and demonstrating smart,proactive leadership.27%say that they prioritize reporting the ROI of security investments,indicating where interventions and money have already helped,and paving a way to speak dire

42、ctly to the CFO and gain support for future investments.25%say that the ability to purchase cyber insurance might be the best way to tell boards how safe they are;and/or justify the investment elsewhere,too.“I think the awareness regarding the importance of pentesting and cybersecurity is higher tha

43、n it was three years ago due to recent events in industry,”says a CISO of a healthcare organization.This validates another surprising finding:the biggest responsibility for 86%of CISOs is to ensure their governing body/board sees value in funding security investments.As one CISO in transportation pu

44、ts it,“What the board really wants is risk quantification.They want it in dollars and cents.”Yet only 20%of boards rated“ROI of security investment”as a measure of success,possibly because they lack the understanding around how ROI impacts risk,relying instead on other metrics indicating security po

45、sture improvement.Requirements for ROI are no doubt tougher.Almost a third(31%)of our respondents say that projects have been postponed or delayed due to lack of funding,while 30%also say the team was unable to support a business initiative.Also,84%of CISOs say that their governing board/body equate

46、s strong security with regulatory compliance rather than best practices,which might account for the slight disparity in the importance placed on“status and results from internal and/or regulatory compliance audits.”It is not surprising,then,that 90%of CISOs say their governing body/board cares about

47、 different KPIs and security metrics today than it did two years ago.“My board loves a number,”says the CISO of a transportation and logistics company.“But the problem with cyber is that it is super hard to come up with one figure that says how good or bad we are.”For CISOs and board members alike,i

48、ts time to refresh your approach and ensure youre still aligned.The CISO Report|Splunk12CISOS AND THE BOARD gET PRIORITIES STRAIgHTCISOs expand board presence,own their influence Overall,our research showed that CISOs are formalizing their seniority:Forty-seven percent of CISOs report directly to th

49、e chief executive officer(CEO),followed by 40%reporting to the chief information officer(CIO).Interestingly,Western Europe is leading this trend,with 54%reporting directly to the CEO and 48%in APAC,while AMER trails at 41%.This is likely due to European legislation,both existing and incoming,that ma

50、kes the CEO personally liable for security and penalizes them for negligence.In short,ignorance is no longer a defense in the face of a cyber attack.This shift in reporting illustrates how CISOs are changing their focus toward the business and formalizing their executive roles.Forget closer relation

51、ships with the C-suite.They are the C-suite.This trend reflects that security is now as important to organizations as finance(CISO and CFOs work side-by-side).And security risk has become just as costly,litigious and as impactful to share prices as financial risk is.Driving a culture changeThese day

52、s,cyber risk is business risk.Organizations often integrate security into their existing business systems and processes.As testament to its importance in the boardroom,a vast majority of organizations(78%)now report having a subcommittee or audit committee focused on cybersecurity,privacy or cyber-r

53、isk.This could be due,in part,to Europes legislation,which makes the CEO personally liable for security.Little by little,CISOs are driving change in security culture within their respective organizations,from improving employee awareness to building security requirements into software development an

54、d business decision making.“It takes time to change the culture,”the CISO of a transportation,tourism and shipbuilding company says.”It has very,very little to do with the technology itself and its the hardest part of the job.”They might be pushing on an open door,or their efforts are finally paying

55、 off,but its clear that their influence on culture extends past their direct sphere of control:Eighty-eight percent report that their governing board or body is making a concerted effort to educate themselves on cybersecurity.The CISO Report|Splunk13CISOS AND THE BOARD gET PRIORITIES STRAIgHTCISOs a

56、nd Boards Rank Success Factors*There is close alignment on the factors that indicate a successful cybersecurity programROI of security investmentsStatus and results from internal and/or regulatory compliance auditsResults of security testingRisk exposure rate or patching/tooling percentage coverageF

57、eedback from LOB executives/C-suite/BoardPercentage of systems with up-to-date patchesAttainment of security roadmap milestonesAlert inspection and investigation rateMean time to respond or remediate(MTTR)Progress in security/maturity model assessment certificationsAverage time it takes to patch a v

58、ulnerabilityPercentage of systems consistent with policies for security controlsNumber of high priority incidents,breaches and other reportable eventsAsset and software inventory coverageAbility to purchase cyber insurancePercentage of employees completing security awareness trainingNumber of vulner

59、abilities identifiedMean time to detect(MTTD)27%26%23%23%22%25%22%21%20%20%19%18%17%17%17%16%16%14%23%23%23%21%21%21%20%20%19%19%18%18%18%18%18%17%17%14%CISOBoard*Factors ranked in order of largest to smallest differenceThe CISO Report|Splunk14CISOS AND THE BOARD gET PRIORITIES STRAIgHTCISOs embrace

60、 yet question evolving roleWhistle-blowing is still trendy;eighty-two percent of respondents say that if their organization was wilfully ignoring security best practices and compliance mandates and putting the business at risk,they would consider becoming a whistleblower.This speaks to a responsibil

61、ity above their employment,a strong sense of morality and perhaps some lessons learned after shouldering the blame for their organizations security mishaps.To say that they are scapegoats might not be an exaggeration:Eighty-four percent agree or strongly agree that theyre worried about their persona

62、l liability for cybersecurity incidents.Our experts recommend that you get a personal lawyer(not a company-provided one)that you can call on short notice,should you ever need to.And when it comes to purchasing decisions,you could do worse than the tried-and-tested,safe options if you need to impress

63、 your board:Ninety percent say their governing body/board puts a high degree of faith in industry analyst recommendations.Many boards and CEOs know that the liability landscape has shifted,but they feel powerless to effectively respond to these new dynamics.This opens an opportunity for CISOs to edu

64、cate their board and ultimately improve the security posture of their organization.Ultimately,CISOs now have a bigger seat at the table and a louder voice in the room.The C-suite and the board are listening.Security leaders can use their growing platform to create the change they want to see in the

65、industry.47%Chief Executive Officer40%Chief Information Officer5%Chief Financial Officer4%Chief Operations Officer2%Chief Risk Officer1%Chief Compliance Officer1%SVP/VP/EVPCISOs Report to the C-SuiteCISOs submit to ransomware“My goal:Not to be at the helm when we have a major cyber breach.”CISO,comp

66、any in the banking industryreported at least one disruptive attackMost Concerning Cyber Threats40%Social engineering attacks37%Operational technology(OT)and Internet of Things(IoT)33%Ransomware30%Insider threats29%Third-party risk24%Distributed denial of service attacks24%Destructive malware24%Error

67、s and misconfigurations24%Cryptomining21%Account takeovers20%FraudThe CISO Report|Splunk16CISOS SUBMIT TO RANSOMWARE CISOs are likely going to face a major attack a staggering 90%reported suffering at least one disruptive attack in their organization over the last year(43%at least once,34%“a couple

68、of times,”and 13%“several times.”)It should be no surprise that social engineering,OT/IoT,and ransomware are top-of-mind concerns for CISOs threats that are not only featured prominently in the media,but are also financially devastating.“Your decisions impact how the business runs,”says the CISO of

69、a healthcare organization.“If you make bad choices,you might kill the business.”90%Ransomware RemediationRansomware Payouts4%disaster recoveryservice provider1%Dont know1%Prefer not to say9%$1 million or more16%$250,000-$999,99926%$100,000-$249,99944%$25,000-$99,9994%and Turn Data Into Doing are tra

70、demarks and registered trademarks of Splunk Inc.in the United States and other countries.All other brand names,product names or trademarks belong to their respective owners.2023 Splunk Inc.All rights reserved.23-295950-Splunk-The CISO Report-EB-123Perspectives by Splunk by leaders,for leaders.get mo

71、re executive viewpoints on security,IT and engineering at our online publication,Perspectives by Splunk.youll hear from Splunks own leaders and experts,as well as guest contributors from the industry.We aim to deliver interesting,provocative and actionable insights by people who have done your job at some of the largest companies in the world.Visit Perspectives by SplunkKeep the conversation going with Splunk