of CISO/ISO work full-time in this role
of CISO/ISO consider information security as a business enabler & key differenciator
have a strategy that's approved by senior management
of CISO/ISO do not manage a budget
Failing to keep their information secure and not being compliant to regulations exposes organisations to severe operational, legal, financial and reputational risk. There are business benefits from embedding security consciousness in the organisational culture, and making it a core competency. In this survey conducted by the Collège des Professionnels de la Sécurité de l’Information (CPSI) and PwC Luxembourg, the second since 2016, we assess market practices regarding the roles and responsibilities of the Chief Information Security Officer (CISO) or Information Security Officer (ISO), and in particular:
Less than half (42%) of CISO/ISOs manage their own budget. Of these, many (64%), although less than in 2016, think that their budget is sufficient, and most (82%) expect it to increase. Most (91%) CISO/ISOs have a say on Capital Expenditures that may be directed to buying security-related tools, but much fewer (46%) are consulted on Operating Expenses.
One of the key preoccupations of CISO/ISOs is the human factor in cybersecurity. The lack of security qualified professionals, negligent employees without clearly defined responsibilities working in a complex IT environment are prone to cause a lot of damage. They often fall short when it comes to complying, and even circumvent rules and secure practices.
Companies, for their own sustainability, need to promote a security culture where everyone has the responsibility to observe and promote security practices and more importantly, to behave in a conscious way which is in alignment with the company’s information security strategy.
Key takeaways and recommendations
Cybersecurity Manager, PwC Luxembourg
Tel: +352 49 48 48 4166