Info-Tech research group analyzed the priorities of several chief information security officers (CISOs) in their recent report.
According to the report, the top 5 priorities include:
Develop and optimize cybersecurity workforce
For the third consecutive year, talent shortage has remained the most pressing cybersecurity challenge, as highlighted by survey data. Respondents rated the difficulty of hiring enough security professionals to meet demands at an average concern level of 3.32 out of 5. Security leaders must identify their current skills gap and organizational needs, define their current security resourcing plan and determine their approach to acquiring the necessary expertise.
Secure the AI revolution.
As many organizations are working to leverage the power of AI, measures must be in place to ensure an effective adoption of the technology. Establishing AI governance should be one of the initial initiatives within an organization's AI roadmap to ensure a strong and ethical risk management framework is in place. However, according to the new report, over 40% of organizations don't have AI governance in place. In order to address potential vulnerabilities, the report advises security leaders to prioritize identifying their organization's AI goals, determine existing security gaps and formalize a comprehensive AI governance framework. This framework must define clear accountability, responsibilities and risk management strategies for AI deployments.
Embed security risk management with the enterprise
With the increasing adoption of AI, organizational reliance on third-party vendor platforms and capabilities will also grow exponentially. This reliance on vendors means increased information sharing and places greater accountability on CISOs or security leaders to safeguard an organization's information assets. Despite this critical need, many organizations lack mature vendor risk management practices. As outlined in the report, in many organizations, the responsibility of vendor risk inadvertently falls on the CISO, given their role in protecting sensitive information and assets. To address this issue, security leaders must evaluate their organization's existing third-party risk management practices, establish comprehensive policies and ensure third-party risk management is communicated effectively to executive leadership.
Operationalize zero trust strategy
As cyberattacks increase in sophistication due to the advancement of emerging technology and evolving attack techniques, organizations are evaluating various defense strategies to protect their most critical assets. The report emphasizes the adoption of a zero trust framework as an effective measure to enhance an organization's security posture and align with its business objectives. A zero trust model can significantly reduce an attacker's capacity for lateral movement within a network, enforce least privilege access across critical resources and minimize the organization's overall attack surface. The report recommends security leaders adopt an iterative and scalable approach to developing a zero trust roadmap, allowing for continuous improvement and strategic deployment with an initial focus on critical surfaces. Security leaders can start by defining their zero trust strategy, assessing and identifying key capabilities and processes, formulating a comprehensive roadmap and then consistently monitoring initiatives to identify enhancement opportunities.
Automate and autonomize security processes
Automated and AI-based threats becoming increasingly prevalent, the need for security process automation and autonomization has become more pronounced. Organizations should evaluate their capacity for refining security processes to proactively defend against sophisticated attacks and maintain a technological edge. However, the firm's research shows that not all security processes are prime candidates for automation, as they could introduce risks if automated. The report recommends security leaders start streamlining their security processes by first defining automation objectives and assessing the current and desired states of their security operations to identify any gaps. Subsequently, they should determine the suitability, value and risks associated with automating each security process, thereby prioritizing initiatives accordingly. Finally, a detailed automation roadmap that aligns with the organization's strategic objectives must be developed and effectively communicated to executive leadership in order to obtain support.