Onyxia Cyber today released the “Regulation, Reporting, and Risk Management: Voice of the CISO 2024” report. Based on responses from over 200 U.S. CISOs across a range of industries, the report provides an in-depth analysis of how CISOs think today, compliance risks, AI opportunities, and how business decisions are impacting their position.
The job of a CISO has changed dramatically over the last few years. What was once a technology-oriented cybersecurity role has now evolved to focus on security strategy and quantifying and mitigating business risk. As compliance regulations adjust to an evolving risk landscape and the cost of breaches increases year over year, executives are realizing the importance of keeping cybersecurity personnel at the table.
Strict new regulations such as the SEC’s Cybersecurity Disclosure Rule in the US and the EU’s Digital Operational Resilience Act (DORA) are creating significant challenges for many organizations. A shocking 67% of CISOs feel unprepared for these new compliance regulations, and 52% admit that they lack sufficient knowledge about how to report cyber attacks to the government.
“As cyber threats grow and regulations impose heavy penalties for non-compliance, it is imperative that CISOs reevaluate and strengthen their security programs based on data. Our research reveals important industry benchmarks and highlights areas of strength and significant gaps that require urgent action,” said Sivan Tehila, CEO and founder, Onyxia. “CISOs must increase their preparations, improve their security hygiene, and embrace new technologies like AI to make the most of existing security tools to protect their organizations.”
Other key findings include:
Incident response planning: More than half (56%) of surveyed CISOs admit they are dissatisfied with their current incident response strategy, indicating that significant improvements are needed to effectively handle cyber incidents. Communication with the board: 67% report struggling to effectively persuade executives about their security strategy and get buy-in for the effort. Interestingly, only 19% of those who have been CISOs for more than five years find it very easy to share their strategy with the board, compared to 40% of less experienced CISOs who say the same. Security hygiene: Basic security measures like multi-factor authentication (MFA) and strong passwords are not universally implemented. CISOs believe that on average 11% of user accounts have weak passwords and 13% are acceptable without MFA, indicating there is room for improvement. AI integration: 84% of CISOs currently measure the effectiveness and performance of their security programs using spreadsheets, analysts, or a combination of the two approaches. Despite their reliance on manual methods, CISOs see potential in AI: 97% believe AI can enhance risk management, 54% believe AI capabilities can help identify coverage gaps or redundancies in the security stack, and 42% expect to see a role for AI in automating business-level risk reporting.
“Our industry is in a phase of evolution,” said Chris Roberts, cyber CISO advisor at Onyxia. “Right now, our industry is in a phase of maturity where business drivers, leadership conversations, conversations about law, compliance, regulation and accountability are taking precedence over most other concerns. This report paints an honest picture of where we are, what we’ve done, and what we need to do.”
For more information, download the full report.
