TSC recently conducted its annual Client Satisfaction Survey (CSS). A big thank you to our clients who took the time to respond, and congratulations to the three winners of Fortnum & Mason’s hampers.
While not a comprehensive assessment of the industry, analysis against the previous year’s survey supports the direction of travel we are hearing about anecdotally in the field, with some surprises as well.
Respondents came from across many industries and company shapes and sizes, reflecting TSC’s broad range of clients. In addition to the core questions related to TSC’s service and the value we deliver — our clients rated us overall as ‘exceptional’ for products and services, but there will be no more unashamed plugs in this article! — we asked a few about the CISO life.
This is what they said:
Unsurprisingly, ‘not thinking before clicking’ was the most insomnia-inducing behaviour (81% of respondents). This was similar to the previous year and maintains phishing as a perennial problem among CISOs.
Another area that registered the same amount of sleepless nights as the year before is ‘not using encryption’ (67%).
The biggest change this year was for ‘posting work-related content’ on social media. One in two CISOs are worried about this, double the one in four proportion a year ago.
""
Phishing keeps 81% of respondents awake at night
‘Not using strong passwords’ also climbed, increasing to 69% from 50% last year.
Worries that appear to have declined are ‘inconsistent classification’, ‘not checking emails before sending’ and ‘using personal emails for company business’. The implication is that the work invested in ensuring people work securely with emails has had a positive impact on behaviour, even if phishing remains impervious to these efforts.
How did our CISOs think their respective organisations progressed from an information security standpoint over 2019? We asked how they thought employee behaviour and organisational resilience had changed in the last year.
The good news is that 90% consider that the employee behaviour had ‘very much’ or ‘somewhat’ improved. When it came to resilience, 81% said this had ‘very much’ or ‘somewhat’ increased.
Combining the data from the two questions reveals that around 25% of CISOs think their organisations have ‘very much’ improved when it comes to both employee behaviour and organisational resilience. The largest proportion, 31%, felt that they had ‘somewhat’ improved in both areas. One in eight (12.5%) said they had seen no discernible change.
""
25% of CISOs consider their organisations to be very much improved in behaviour and resilience
While many factors influence how the CISOs answered – including the maturity of the organisation, industry and geographic spread – it's noticeable that no one reported a deterioration in these two metrics.
We saw a wide range of challenges listed. These derived from detailed, company-specific issues to broad challenges that apply to many companies and sectors.
However, the challenges identified can be grouped into three principal categories:
""
Engagement
Risk
Awareness
Challenges surrounding engagement range from motivating employees around information security to gaining buy-in from key stakeholders (often the board) so CISOs have the backing to drive through their programmes.
The frequent mention of ‘risk’ and how to manage it is a welcome sight. There is a shift (correctly, in our opinion) from eradicating all risk everywhere to identifying, evaluating, prioritising and managing risks down to a minimum – classic risk management that should be an essential part of a CISO’s armoury.
Underlying the challenge of awareness is communication. We see this a great deal among clients. Often CISOs are not marketing or communication experts and look for guidance on how to get across their carefully thought through information security initiatives. As the role of the CISO develops, having some communication experience is certainly an advantage.
Age-old problems such as phishing and gaining board buy-in persist, but there seems to be a noticeable (and positive) shift in the CISO’s lot. A shift that manifests itself in:
""
Improvement in the organisation’s information security behaviour
How the CISO is seen and how they view, approach and execute the role
A growing confidence among CISOs
The importance of information security is growing across sectors and organisations. The CISO role is gaining a higher profile in line. CISO life is changing and our findings support this, and long may it continue.
Finally, we plan to run our next CSS, including a prize draw, at the end of 2020. If you want the chance to win and you’re not already a TSC client, you know what to do!
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51
