Cyber Security and the Culture of Alienation

Empirical, bottom-up and organically developed cyber security functions need to evolve

The 2020 Information Security Maturity Report from ClubCISO makes interesting reading.

It compiles responses from 100 of their members to a questionnaire sent in March 2020, around the time of the COVID-19 lockdown decision in the UK. Comparing results year or year is not entirely meaningful for such surveys, in absence of any form of data normalisation (you have no guarantee that the panel responding is the same year on year); yet some interesting patterns emerge.

The typical respondent is a CISO working for a mid-size or large organisation (82% have more than 500 staff), headquartered in the UK or Ireland (75%), and has spent more than 10 years in the Infosec industry (69%); 60% have been in their present role for less than 2 years.

Collectively, they paint a slightly uncomfortable picture: The picture of CISO roles and security practices still operating bottom up, disconnected from the dynamics of the business: When asked which concerns most affect their ability to deliver against objectives, 49% mention the culture of the organisation (as if they were not part of it), 36%, the speed of business change (as if it was happening all around them but…