CISO Survey: The C-Suite Isn’t Easy Street for Security Leaders

In an era where cyber threats evolve at a breakneck pace, Chief Information Security Officers (CISOs) find themselves at the forefront of safeguarding organizations against a constantly shifting landscape of risks. The role of the CISO has become more critical—and complex—than ever before. What keeps a CISO up at night? What challenges and opportunities lie ahead, and how are they preparing for what’s next?

Portnox dug into the CISO psyche recently, surveying hundreds of security leaders from across North America. Their insights and our takeaways may surprise you. Here’s a glimpse at what we found…

C-Suite is Not All Easy Street

The biggest concerns for CISOs start with the likelihood of being the victim of a data breach, which isn’t surprising. They also worry that the current tools are not enough to keep the cyber wolves at bay, and that implementing the necessary security measures will lead to some difficult challenges.

70% of CISOs Are Concerned About Imminent Attacks

The frequency and sophistication of cyberattacks have increased dramatically in recent years. 70% of CISOs report being “very concerned” about an impending cyber attack. This statistic speaks to the heightened anxiety across industries as hackers employ more complex and coordinated tactics.

• Why the Concern is Growing: Cybercriminals now have access to more advanced tools and techniques than ever before. Whether it’s ransomware, phishing attacks, malware, or supply chain breaches, the variety and adaptability of these threats are alarming. Additionally, with the rise of nation-state actors and organized cybercrime groups, there’s a constant fear of becoming the next victim.
• Zero Trust and Beyond: To combat these threats, many CISOs are advocating for a shift toward Zero Trust architectures, which treat every user and device as potentially compromised. But while this approach is increasingly seen as essential, it represents a massive overhaul of existing infrastructure, and many organizations are still struggling to implement it. In fact, 63% of CISOs anticipate challenges when implementing zero trust, although 84% have begun (or plan to begin in the near future) executing a transition to zero trust.

85% of CISOs Say MFA Is Not Enough

Multi-factor authentication (MFA) has long been hailed as one of the most effective defenses against cyber threats, but recent data breaches have started to show its limitations. First and foremost, it still relies on passwords – and 81% of CISOs surveyed said a compromised password is the likely culprit behind a data breach.

• Limitations of MFA: While MFA adds a layer of security, hackers have found ways to circumvent it. SIM-swapping, phishing attacks that steal MFA codes, and vulnerabilities in authentication apps are just a few of the methods attackers are using to bypass MFA.
• The Need for Holistic Security: CISOs are increasingly looking at more comprehensive unified access solutions that discard passwords in favor of certificate-based authentication. Combined with endpoint risk assessment and conditional access policies, these solutions provide a comprehensive approach to securing sensitive data and systems.

77% of CISOs Worry a Data Breach Could Cost Them Their Job

77% of CISOs are concerned that a major data breach could result in them losing their job. This fear is not unfounded — in today’s environment, a significant breach can have wide-ranging consequences for an organization, from financial losses to irreparable damage to brand reputation.

• Increased Accountability: As data becomes a central asset for businesses, the stakes for protecting it have never been higher. High-profile breaches like those involving Cisco, Okta, and SolarWinds have led to increased scrutiny on CISOs and other security professionals. Executives and boards are placing more pressure of CISOs to prevent breaches, which can sometimes lead to a career-defining moment.
• A Shift in Organizational Culture: To address this fear, many CISOs are advocating for a stronger cybersecurity culture within their organizations. By involving leadership in cybersecurity discussions and emphasizing a shared responsibility across departments, CISOs hope to shift the burden from being solely on their shoulders to a more collective effort.

90% of CISOs Say It’s Impossible to Keep Pace with Changing Regulations

Regulatory changes are happening at a breakneck pace, and 90% of CISOs feel it’s impossible to keep up. NIS2 looms large on the horizon of the EU, and the US itself is not far behind – in 2023 alone, 130 cyber security bills across 39 states and territories were passed.

• The Growing Complexity of Compliance: Compliance with these laws is no longer just about avoiding fines — it’s about protecting the trust of customers and partners. Each law has its own nuances, and failure to comply can result in significant penalties. With regulators constantly revising requirements, CISOs are under pressure to ensure their organizations remain compliant while adapting to new rules.
• The Role of NAC: Many CISOs are turning to Network Access Control solutions to help manage compliance. From ensuring access controls are properly applied to enforcing security policies, NAC can help alleviate some of the burdens CISOs face in trying to meet regulatory demands. In fact, 100% of respondents agreed NAC was a critical component of a zero trust framework.

59% of CISOs Try to Balance Employee Experience with Security

Security measures, while essential, can sometimes create friction in the workplace. Nearly 59% of CISOs report struggling to balance stringent security protocols with ensuring a smooth and efficient employee experience.

• Security Fatigue: Employees are often required to navigate multi-layered security protocols, from complex password requirements to multiple authentication steps. This can lead to “security fatigue,” where employees become frustrated and disengaged, potentially circumventing security measures just to get their work done.
• User-Centric Security: To address this, many CISOs are exploring more user-friendly security solutions. This includes passwordless authentication methods, which offer security without hindering productivity. Unified access control allows organizations to create security policies that cover all resources, thus making access consistent and uncomplicated for users as they navigate through different tools and resources.

51% of CISOs Report Employees Complaining About Security Measures

Another statistic that underscores the challenge of balancing security and usability: 51% of CISOs say they have heard employees complain that security measures interfere with their work. This tension between security and productivity is a constant struggle for cybersecurity leaders.

• The Importance of Communication: Often, employees don’t fully understand the reasons behind stringent security protocols. Effective discourse and education about the importance of cybersecurity can go a long way in improving cooperation between security teams and other departments. In fact, 45% of employees felt they were not adequately trained on how to use their organization’s security tools, which suggests a serious lack of communication.
• The Role of Leadership: Leaders must ensure that cybersecurity is seen as an enabler rather than a hindrance to business goals. When employees understand that security measures protect the organization’s future — and by extension, their own jobs — they’re more likely to comply with security requirements.

The Road Ahead for CISOs

The role of the CISO in the future will be defined by their ability to navigate an increasingly complex and threatening cyber landscape. While the challenges are daunting, CISOs are stepping up to the plate, implementing new technologies, fostering a culture of security, and finding ways to balance the need for both robust protection and business continuity.

From addressing the limits of MFA and preparing for impending cyberattacks to staying ahead of ever-changing regulations, CISOs have their hands full. But with the right strategies and a forward-thinking approach, they will continue to be the guardians of their organizations’ most valuable assets: data, reputation, and trust.

Ultimately, the future of cybersecurity will depend on the collaboration between CISOs, executives, and employees — with everyone playing their part to safeguard the digital infrastructure that powers modern business.