The Top 3 Findings From Splunk’s CISO Report

Talk about a plot twist: Eighty-six percent of CISOs say their role has changed so much that it’s practically a different job than when they first started. 

Throughout my career as a CISO, I've witnessed transformational change in the cybersecurity landscape, so it’s not surprising to me that the security leaders forging the path ahead are juggling a whole new set of responsibilities now. To understand the dynamic challenges and opportunities of the CISO role, a team of us at Splunk gathered the insights of hundreds of CISOs, CSOs and other executive security leaders: surveying 350 people and conducting in-depth interviews with 20 people. 

The research is published today as The CISO Report, authored by Ryan Kovar, distinguished security strategist of SURGe fame, and Kirsty Paine, field CTO and strategic advisor for EMEA. They sought to understand what it’s like to be a CISO today, from the problems keeping them up at night to the steps they’re taking to expand cross-team collaboration. 

I was surprised to learn that across the board, 47% of CISOs report to the CEO, which gives them an unprecedented opportunity to advocate for strengthening the security posture of their organizations. I’ve experienced the impact that educating the board can make, whether it’s about cybersecurity needs within the business or necessary investments to help the organization better withstand cyber risks and attacks. Greater influence of CISOs among the C-suite bodes well for organizations everywhere. There is some variance among industries, however. According to our research, while financial services lagged in terms of the percentage that report to the CEO (34%), an unexpected 84% in healthcare do so.  

As CISOs talk more to the CEO, CFO and others in the executive suite, they discovered those leaders care about different KPIs and security metrics today than they did two years ago. I can tell you that in my current and past CISO roles, aligning on these metrics can provide extra job security and influence funding for cybersecurity investments. In our survey, CISOs ranked ROI of security investment as the most important cybersecurity success factor with results of security testing a close second. I’d also add that metrics that determine the maturity of a security program (per the NIST cybersecurity framework) are also key, and they very much have to do with ROI on investments. If the investments boost the maturity of an organization’s cybersecurity program, that’s a quantified outcome right there. 

As for the state of cyber defense, the research revealed that 83% of survey respondents paid attackers in the wake of a ransomware attack. I’ve worked with many CEOs, and I know a CEO will pay for a ransom over a loss of revenue any day of the week. Beyond ransomware, cyberattacks haven’t slowed down, as 90% of CISOs report their organization experienced at least one disruptive attack last year. This is tough, especially when you’re trying to obtain cyber insurance. Because breaches are so common, insurance prices are skyrocketing — to buy cyber insurance will cost you something just shy of having to surrender your firstborn, but close enough.

That’s just a brief snapshot of what we learned from The CISO Report, which validated and challenged some of my personal experiences as a CISO. There’s more on how AI will shape cyber defense, how organizations are building a culture of resilience and how organizations will increase cybersecurity investments. 

Download the report for a complete analysis, including industry and regional highlights.

Jason Lee
Posted by

Jason Lee

Jason Lee is Vice President and Chief Information Security Officer at Splunk. A highly respected technology executive with 20 years of experience in information security and operating mission-critical services, Jason led security for large enterprises prior to joining Splunk including Zoom and Salesforce, where he led the delivery of critical end-to-end security operations including company-wide network and system security, incident response, threat intel, data protection, vulnerability management, intrusion detection, identity and access management and the offensive security team. Before that, he spent 15 years at Microsoft and held various senior leadership roles, including Principal Director of Security Engineering for the Windows and Devices division, as well as Senior Director of Developer Services. As Senior Director of Developer Services, he oversaw the design and management of the mission-critical PKI for all products across the company. Lee holds a B.A. from Washington State University.

Show All Tags
Show Less Tags