Organizational and leadership mindset gaps in supporting CIOs could weaken or undermine even seemingly comprehensive response plans, as one survey suggests

Through a Sep 2023 poll of 1,917 IT security practitioners from firms with 100 to 5,000 employees across various industries in the United States (522), the United Kingdom (372), France (329), Germany (425), and Australia (269), some trends were summarized in a report on cyber risk resilience.

First, 49% of respondents from the smaller to mid-sized firms listed implementing “company-wide security policies such as authentication measures and access controls” as one of their top two governance challenges. Other challenges indicated by respondents included: “senior management doesn’t see cyberattacks as a significant risk” (35% of smaller firms); “lack of budget” (38% of larger firms) and “lack of skilled professionals) (35% of larger firms)

Second, around one in 10 respondents indicated not having an incident response plan to turn to, in the event of a successful breach. Other concerns indicated included “a lack of security and control over the supply chain” and “visibility into third parties with access to sensitive or confidential data.”

Third, respondents from financial services organizations were the most confident about their ability to cope, with 55% rating their security posture as “highly effective”. The smallest firms surveyed were the least optimistic, with 48% rating their security posture at the lower end of the scale.

Another key trend in the data was: 23% of respondents from the largest firms polled cited never having tested their incident response plan, possibly because doing so in a large business can be a complex, time-consuming, and disruptive process. Further, around one in 10 overall indicated they did not have an incident response plan in place.

According to Siroui Mushegian, CIO, Barracuda Networks, the firm that commissioned the poll: “For many businesses today, a security incident of some kind is almost inevitable. What matters is how you prepare for, withstand, respond to, and recover from the incident. This is cyber resilience. When NIST updated its benchmark cybersecurity framework…  it added security governance as a strategic priority.”