IANS Research and Artico Search queried 755 CISOs (699 of whom work in the US and Canada) for their fifth annual CISO Compensation Report. The key finding is that annual compensation for US CISOs is now $565K. The top 25% of earners receive more than $620K, the top 10% receive more than $1M, and the top 1% receive around $3M.

Reaching the upper brackets of remuneration is not easy. It’s a complex combination of the company vertical and the CISO’s experience. For example, the highest total remuneration package ($721K) is found in the tech sector; followed by financial services ($705). The cash element of these packages is reversed, with financial services paying $495K and tech paying $407K. Education retains its vocational element, since the total remuneration is a ‘meager’ $243K.

Experience is also important. “Two-thirds of CISOs with top-quartile compensation have at least eight years’ tenure, 69% have held the top security job at multiple companies and 61% have cross-industry experience,” notes the report. “Our CISO compensation analysis found tenured CISOs (with eight to 15 years of CISO experience) who held CISO or senior security leader positions at more than two companies enjoy a 61% compensation advantage over CISOs who haven’t changed employers during their tenure as CISO.”

The report also notes that fewer companies are seeking a new CISO, and fewer CISOs are seeking a new company: CISO rotation dropped from 21% in 2022 to a projected 11% in 2024. It isn’t clear whether the slower CISO churn reflects the general post-pandemic economic situation (if you’ve got a job, hang on to it), or indicates a growing maturity in the security marketplace. 

Nevertheless, 75% of CISOs are still considering or open to new opportunities: CISOs remain open to a move, but fewer do so. This may be related to watching the balance between potential pay increases from moving and retention incentives for staying. Thirty-one percent of CISOs reported a compensation boost through changing employers in 2024, while an equal 31% reported an incentive boost for staying. The report’s remuneration analysis also suggests that changing companies (provided it is not too frequent) may boost future earnings capacity.

One thing is clear – the complexity and responsibility of the CISO role is continuing to grow. “Over the last ten years, we’ve consistently seen the security function elevated to a business function rather than a back-office cost center,” comments Steve Martano of the IANS Faculty and a partner at Artico Search. “Consequently, we’re seeing CISOs command perks aligned with executive leadership team benefits. This may include severance clauses, being named on the D&O insurance and equity-heavy compensation packages.”

It’s taken a long time, but despite the title ‘Chief IS Officer’, it is only relatively recently that businesses have been treating CISOs as genuine and full members of the C-Suite. This is further confirmed by the increasing inclusion of the CISO in the company Directors and Officers (D&O) insurance; which, in turn, may have been spurred by the SEC’s 2023 growing willingness to hold individual CISOs liable for their security actions or failures. The SEC’s power has since been confused by SCOTUS overturning the Chevron Doctrine in July 2024; but it is very likely that these events have made companies realize the full importance of the CISO to their business.

The route into cybersecurity

All three of our CISOs entered cybersecurity via IT. Dougherty had led the creation of an MSP where he became VP operations. He was recruited by one of the MSP’s customers and became corporate computing services manager. 

“We started having problems with people trying to break our systems. We didn’t really have a security function; so, I went to my boss and said, hey, I think we need a security department and I want to run it.”

This is a recurring theme in this series of CISO conversations – career progression is often self-initiated: see an interesting gap, step up, and fill it.

Barbee Mooneyhan had been in IT for almost 20 years, but never quite felt it was where she should be. She would often help members of the security team, and eventually asked if she could transfer. She did.

“I just studied and studied and studied, and it took me over a year to get into security properly.” She moved to another company as a security team member, becoming the team manager about a year later. But now she had found where she should be. “I absolutely fell in love with security the moment I landed in it.”

Mark Wochos was a systems and network engineer. This was in the days before cybersecurity evolved into a separate field of expertise. “So, it was automatically part of my duties. But it piqued my interest and I spent more of my time focusing on that area.” People focusing on cybersecurity so early tended to automatically become managers.

So, see a gap and fill it; especially if it is one that attracts you.

Becoming a leader

A CISO differs in one major aspect from a manager. a CISO must also be a leader. Wochos draws an interesting distinction here: “Anyone can be a leader. You don’t necessarily need to be a manager to be a leader.” Most teams have a goto person that other members seek out for advice on tricky problems. That person is a leader, but he or she is probably not a manager; and may prefer to remain an engineer rather than become a manager.

Being a manager requires a different skillset to being a leader. There are good managers who are not good leaders, and there are good leaders who are not good managers. A successful CISO must have both skills.

In the early days of cybersecurity there was no existing organizational structure. A good and ambitious engineer could jump straight into a cybersecurity management position. That almost certainly cannot happen today. The route now is from team member to team leader to manager and – if you tick all the boxes – eventually to CISO. This process naturally teaches management skills – but the CISO also requires exceptional leadership skills.

You can learn management skills from books. Most CISOs believe you can also learn leadership skills, but this comes from desire, the advice of mentors, observation of other leaders, and a smidgen of natural charisma. Mostly nurture, but a little bit of nature.

Mooneyhan provides an example from her own career. Her task was to develop a threat hunting and incident response program. What she found was a non-team – just individuals doing their own thing and not generating any coordinated information. Her response was to fly everybody to a private summit – including her boss – in Nashville. 

“We sat in a room for three days, and we planned out everything that was going to happen. I think I just took the reins. The next year I did the same thing.” That showed the desire and charisma to lead, and demonstrated leadership.

“I think most leaders make themselves, but no leader makes themselves alone,” says Dougherty. Leadership is a skill that must be learned, like any other skill. And the best way to learn that skill is through observation, and apprenticeship. You must have mentors and guides and leaders above you that are willing to help you learn. I don’t believe you come fresh out of school ready to be a leader. Leaders are made, not born.”

The implication here is if you are a manager wishing to become a CISO, you must have the desire and willingness to learn leadership. But it can be learned.

Wochos agrees with this. “It is something you can absolutely learn. Obviously, there are certain people who have natural charisma or natural leadership skills that they are born with, but a good leader must spend time focusing on those skills. Anyone who has the desire to move into a leadership role can do so if they’re willing to put the time in.”

Building and keeping a strong security team

Key to being a successful CISO is the ability to recruit and keep – gain and retain – a strong, well-balanced security team. Different CISOs develop their own methods for recruitment. Wochos, for example, prefers to recruit from within his company. “My preference is to find someone internal who has a desire to move into security, because that seems to be more effective.” That doesn’t mean he doesn’t recruit externally for specific roles, but he adds, “I think having an existing relationship and having people who already understand the company jumpstarts the whole process.”

Mooneyhan notes a common problem for smaller organizations: “I don’t have the luxury of being able to recruit and train entry-level staff – I need people who can be effective from day one without requiring a lot of handholding.” This involves going through hundreds of resumes looking for people who might fit – and this much is fairly standard.

What differs is the first interview. She talks about herself and her way of working, and about the company. She asks the candidate about passions and aspirations. By the end of the conversation, she knows whether the candidate wants to work for her, and whether they can work together. This process weeds out those who just wouldn’t fit into her culture, and it is only at the second technical interview does she investigate whether the candidate is qualified for the position.

All three CISOs take the same approach to keeping a strong team. It involves taking a personal interest in each individual. Compensation is important, but not what makes people want to stay. Team members stay on the team if they are interested, engaged, have a sense of purpose and fulfillment, and a clear career path. 

“Every career is ad hoc,” comments Wochos. “In the short term, my approach is to have that conversation with everyone to understand what they’re doing, where they want to go – and then help create a plan to get there. In some cases, particularly with people who are newer to the industry or new to the role, that person might not know where they want to go. So, you use your intuition, some of your own expertise and wisdom, to try to push them in a direction you think they’ll be good – but that only works if they have a desire to want to walk with you.”

The secret to retaining a strong security team is to make each member want to walk with you, but to train and mentor them so they are eventually capable of walking ahead on their own.

The importance of diversity

Diversity is an important ingredient in the team mix. “If I don’t have diversity of thought, I don’t have a fully functioning team,” says Mooneyhan. 

“I really focus on diversity of thought,” adds Dougherty. “I want to hire really smart people that are likely going to disagree with me, because that allows us to bring the best arguments forward.”

For example, Dougherty is pleased he has team members that come from an arts rather than purely technical background. “I value that because when you have a diverse team, you have a number of different opinions, and it allows you to come to a more holistic answer.”

Diversity goes way beyond gender diversity – which is difficult to achieve because of the smaller number of female applicants. It includes race, socio-economic background, culture and LBGT. Full diversity is difficult for smaller organizations because the security team isn’t large enough to include everyone – and CISOs must choose the best person regardless of background.

Nevertheless, each of the CISOs would welcome neurodiversity into the mix. “We embrace that,” says Wochos. “In fact, I do have one or two neurodiverse people on my team.”

Dougherty adds, “I’ve had the pleasure of working with a few people that would fit in that category and they’ve been fantastic people. Some of the neurodiverse people I’ve worked with have been incredibly good at data and math and statistics. So, if you put them in an analyst role, where they’re doing that sort of thing, they thrive.”

Maintaining mental health in the team

The potential for burnout is increasingly recognized. Dougherty explains part of the cause within the security team. “There’s a portion of the job that is… I don’t want to say boring, but it’s rote. Every day you must look at your SIEM and you must look at your log files. So, you review 1000 entries in a system looking for problems. And you clear them all and tomorrow morning, you wake up and you’ve got another 1000 entries, and a year from now you still have another 1000 entries to look at. That creates a tedium. But, in addition to that, you also have these moments of incredibly high stress. You find something, and you must figure out whether it’s a false positive or is the entire house on fire? And as soon as you’re done with that crisis, you have to go back to the tedium – and the cycle never ends; every day, you’re going to get another 1000 log entries.”

Burnout is something that can happen to anyone in any profession, but including (and perhaps especially) the CISO. For the CISO, the buck stops here. There is generally less external company support available, and the CISO must be self-disciplined to prevent personal burnout.

Wochos describes how he and many other companies manage burnout for the team. “We focus on our people’s mental health,” he explained. “We provide the opportunity for mental health days when people need to step away. We provide mental health benefits. If I see one of my engineers who has not taken time off for a while, I’ll force them to take a day off. ‘Hey, by the way, you’re not coming in on Friday. Goodbye, we’ll see you next week. Take a day off.’ We think that’s important to allow people to take time off to refresh and come back as their best self.”

He believes the problem can be exacerbated by remote working, with staff working excessive hours. “We provide guidance and suggestions and try to enforce them where possible. “Separate your workspace from your living space. Find hours when you will not work, and step away from work in these periods.”

The key to preventing burnout lies in the old adage: finding and, if necessary, enforcing a good work/life balance.

Advice

We ask all the CISOs in this series to tell us the best advice they ever received, and what advice they would now give. The former tells us how to become a good leader, while the latter tells us what has been learned after succeeding.

Mooneyhan says the best advice she received comes from the Robert Frost quote: “The best way out is always through.” Frost has another similar quote: “Hope is not found in a way out but a way through.” For Mooneyhan, this translates as not trying to avoid difficulties, but confronting them and solving them.

Dougherty cites two pieces of advice: never stop learning; and surround yourself with people you believe have the potential to be better than you while giving them the opportunity to be so.

For the former, he says that technical learning is good, but you shouldn’t limit yourself. “Continuously expand your knowledge. Be a sponge. You won’t always know when you will be able to use that knowledge, but eventually you will. To be an effective CISO, you must be continuously learning.”

For the latter, he comments, “Their success will reflect back on you as a leader. The ultimate value of success is 20 years down the road when they’re all leaders too.”

For advice given, Mooneyhan points out the necessity to learn additional skill sets as you move up the career ladder. Management skills are different from engineers’ skills. And when you get to C-suite levels, you need to add leadership skills and business skills.

Dougherty advises on the need to build strong trusting relationships. “It may be counterintuitive in the security world because our inclination is to trust no one – but the paradox is that to be effective, you have to surround yourself with people that you trust and that trust you.”

Wochos simply says, “Be true to yourself. Don’t let a company mold you into someone you don’t want to be. Just be true to yourself. Be who you are, don’t lose yourself while you’re evolving into a good leader.”

Threats

A good CISO will lead a strong, diverse, and healthy team for one primary purpose: to prevent cyber threats impacting the company’s bottom line. Understanding those threats is imperative – especially in healthcare, one of the most attacked sectors.

“I’ve been concentrating on buttoning down our public threat landscape in the expectation of more national threat actors,” commented Mooneyhan.

“The media focus is on malware,” says Wochos, “and understandably so because it is interesting and challenging. But the greatest threat is, and will continue to be, social engineering. Almost every attack goes through social engineering attack vectors. Getting your workforce to be alert with the proper level of paranoia and education, and the understanding to ask questions and not just do things… this is the greatest risk and will probably remain so for the foreseeable future.”

Dougherty’s concern is on a similar theme. “I have long held that my number one threat is the insider. I’ll say this in an impolite way, and then I’ll try to make it more polite. I’m always fighting against malicious and stupid, and stupid is always stronger than malicious.”

‘Malicious’ comprises the external actors that try to cause harm and steal data. ‘Stupid’ comprises the internal workers who are simply trying to do their job as efficiently as possible, but with a system that doesn’t preclude careless errors. 

“The biggest threat comes from the people inside who already have privileged access and are trying to do the right thing but just make a dumb mistake. They’re not trying to not circumvent your controls; they’re trying to get their job done. The hardest thing to do is to design systems that allow people to get their work done, while at the same time preventing them from making mistakes. Human error with the best intentions from people who were just trying to do the right thing and get their job done within a system that promotes productivity but doesn’t catch those errors – that’s the biggest threat.”

In this installment of SecurityWeek’s CISO Conversations series, we talk to two veteran security leaders in the technology sector: Brent Conran, Chief Information Security Officer (CISO) at Intel, and Chris Leach, Senior CISO Advisor at Cisco Systems. The purpose, as always in this series, is to understand what makes a successful modern CISO.

Organizational hierarchy

The enduring question for many CISOs is where their role fits best in the organizational hierarchy. It’s an important question. Reporting to the CIO or CEO can be problematic because they have different priorities. Reporting to the CFO, Legal or Audit can be problematic because they don’t usually understand the nitty gritty, down-in-the-weeds function of cybersecurity.

Nearly every CISO has a personal view on the question, usually with some slight variation from others, depending on their own experiences. Brent Conran from Intel has a dramatically different view from most. “Well, I work for myself,” he said. He doesn’t mean it in the normal legal sense. He means it in the psycho-emotional sense. “Once you’ve got that part of the equation figured out – that you’re a going concern in your own right – where you report to doesn’t much matter.”

But he admits it’s a vexed question. He’s been attending the RSAC Executive Security Action Forum each year for the last ten years. “They’ve asked that question every year. Ten years ago, 95% of CISOs reported to the CIO. Today, it’s probably about 55%, with the rest reporting to a range of offices.”

He thinks the solution depends upon a range of factors: the industry you’re in, what you want to achieve as a CISO, the relationships you have. “If you have a good relationship with the CIO, there’s often a lot of benefit in reporting to the CIO. But if you need a lot of independence to do what’s necessary as a CISO, then maybe you shouldn’t report to the CIO.”

Cisco’s Chris Leach is in broad agreement. “When I first started as a CISO, some 20 years ago, I reported to the CIO – and that made sense. But as the CISO role and accountability have evolved, so the reporting structure needs to change as well. Whoever controls the security budget controls the security – and the CIO has different priorities.” CIOs want smooth computing; CISOs want secure computing – and the two concepts are not always fully compatible.

But that leaves a problem, because other officers tend not to have a close understanding of security. “The best reporting relationship I’ve had has been with a COO. The worst was with a CFO – I don’t think CFOs really understand the issues. But in both cases, it was ultimately down to the personal relationships. I don’t think there’s an ideal place until you understand the individuals and the company concerned. But I can tell you this,” he added: “you should never report solely to a CIO. Maybe dual-reporting with somebody else.”

All of this begs some interesting questions: what can a CISO who wants to shine do if the reporting structure prevents it? Well, this is where Conran’s initial comment comes in to play. By ‘working for yourself’, he effectively means it is your life, your career, so take responsibility for it.

“A CISO has to be able to effect change,” he said, “and if you’re in a position where you cannot effect change, do something.” He gave a hypothetical example. If you report to the CFO and it isn’t working, there has to be other C-Suite officers you can talk to.”

Leach takes a very similar view. “If you’re not getting through to the company and you’re having a reporting issue, I would talk to internal audit.” If the problem is reporting to the CIO, Leach doesn’t suggest bypassing the CIO and taking the complaint straight to the board, or even trying to exclude the CIO.

“But I would begin with audit,” he said. “Get their view and see if they’ve had any discussions around this topic with the audit committee and/or the board. Audit understands conflicts of interest. As CISOs, we tend to beat up audit, but audit can be your best friend as well.”

The second question raised by the reporting structure is ‘compliance’. Compliance cannot be ignored. It’s either the law (like CCPA and GDPR) or club rules that must be obeyed (like PCI). The main issues, however, are where should compliance live within the company, and who should own it.

Compliance

“There’s nothing wrong with requiring compliance with standards per se,” said Leach. “The problem is that there are so many of them. Any single company will likely need to comply with multiple different state privacy regulations, multiple international privacy regulations, national and international finance regulations, PCI and more. There is no single audit that confirms compliance with all of them – and maintaining separate and consistent compliance is a burden.”

But compliance is also a problem for the organizational structure of the company. “Take GDPR,” he said. “My argument is that privacy is a component of security. But we’re seeing a divergence of privacy and security with privacy going to the legal department. But the lawyers don’t do operations – they don’t understand 24/7 tickets and all those sorts of things we deal with.” So, privacy is taken away from security, but comes back to security to be handled.

“I’ve seen some companies that have a whole separate compliance department,” he continued. “That department does what it has to do, that’s good – but they always have to come back to security for answers or to make any necessary changes. Security is always central to the functioning of compliance. So should compliance be under security and help security, or should it be on a level and make demands on security. I don’t know the answer to that.”

Advice

Further insight into what Conran means by taking responsibility for your career comes from both the best advice he has ever received, and the advice he would give to new or prospective CISOs. The best advice came from his father. “Always work yourself out of a job, and you will always have a job.” 

He has applied this in different ways at different times. He always looks for people who are constantly seeking to improve their position. He mentors and prepares them. “So, there’s one, two, or three people always ready to take my job – if necessary. But that means that if something bigger or better comes along for me, I can just take it without worrying about my current company. Or if my world suddenly changes, like mainframes get dropped and we move to client/server, or office working gets dropped in favor of remote working, I’ve already worked myself and the company into a position of being able to handle it. Work yourself out of a job, and you’ll always be in one.”

Leach’s best advice is different, but still related to taking responsibility. “The best advice I ever had was simple: never be afraid to vote with your feet.” He expanded on this. “If, as a CISO, you continually raise a hand to escalate issues – and assuming the reporting is to a CIO who has different priorities and ignores you – what can you do? If there is a subsequent breach, it is the CISO who bears the mark of that breach on his CV, forever. What can you do? For me, if I can’t get anything done, or I’m having roadblocks because of a bad reporting relationship, I would leave. And incidentally, I did leave… I did leave one company where I worked for that very reason – because I couldn’t get anything done because the CIO blocked everything I did.”

The advice that Conran would give to newcomers is again related to his central theme of taking responsibility. “What I tell everyone,” he said, “is that you must continuously and constantly learn – and if you do that, you’ll be successful. I get a lot of people who come to me and say, ‘I’m top of class with 99% right.’ I tell them that means you’re 1% wrong, and it might be that 1% that gets you. If you have the personality and aptitude to continue learning, you’ll thrive. If 99% right is all you want, that’s OK, but we’ll find somewhere else for you.”

Leach would simply recycle the advice he received: don’t be afraid to vote with your feet. It implies more than seems obvious. If the CISO is going to take the blame for a failure, he needs to be given the authority to prevent it. Without that authority, for the sake of your career, it might be better to move on.

Personal attributes

At this point it is worth asking what it takes to be a top CISO. Conran has little doubt. “Agility,” he said, “and the self-confidence to use that agility. Look,” he continued, “we might be doing something one day, and the world suddenly changes under our feet.” Like the pandemic forcing an almost overnight switch from office working to home working. “We have to be able to pivot, and we have to be able to pivot today.”

Or there might be a sudden and major incident. “A CISO must be able to talk at all levels – like from 40,000 feet and 20,000 feet, and sometimes right down to the ones and zeros – while keeping your hat on straight,” he said. “The agility to interact with all levels of that stack simultaneously is imperative to being successful.”

There’s a related attribute: the ability to understand the business. “Security used to have a technical relationship to the business,” he said. “Discussions mostly came down to ‘yes’ and ‘no’ – mostly ‘no’. That doesn’t work anymore. The CISO must be able to sit down with business in a consultative manner, and say, ‘I understand where you’re trying to go – let me explain the best way to get there. ‘No’ must become ‘Yes, but like this’.”

Asked outright whether the CISO needs to be a businessman or a techie, he replied, “I don’t understand the question. I don’t know how a CISO can do his job if he doesn’t understand technology, and I don’t know how he can do his job if he doesn’t understand the business. An understanding of both is part and parcel of being a CISO.”

Leach has a slightly different emphasis. “It’s more important to be a businessman,” he said. “I’ve been saying this for 20 years. If you think about being a CISO, it’s like being a general in a big battle. You’ve only got a certain number of troops and a certain amount of resources. How can that work if you don’t know where it is most important to deploy them?”

He gave the example of a Fortune 50 company. He asked the CIO, what were the company crown jewels that needed to be protected. The answer wasn’t this data, or that server or some intellectual property – it was the customers. The CEO gave exactly the same answer. “But if I went to Coca Cola and I asked the same question, I might be told their recipe or something like that. All businesses are unique. But if I don’t understand what each business is trying to achieve – what it’s best at – then I don’t know how I do my job. And most CISOs forget to ask the question.”

Conran adds two other attributes that will benefit the modern CISO. The first is a thick skin. “I cannot make a decision,” he said, “that does not upset a portion of my workforce. Whatever I do, I’m either turning something on or turning something off. Whichever it is, it will mean change, and people simply aren’t wired for change – but you’ve just got to keep your mind focused on the goal.”

The second attribute is a desire to learn. “I read for hours in the morning and hours at night – technical whitepapers, industry trends and developing themes. If you move to a new platform or different piece of technology, you must make the time to thoroughly understand it. Security is like a journey where you’ll never reach the destination. The good news is that you’re never going to finish learning about your job. The bad news is that you’re never going to finish learning about your job. You just have to keep up.”

Future threats

With an understanding of what it takes to be a top CISO, it is worth asking where the future threats are likely to originate. Conran breaks it into tactical threats (immediate term), and strategic threats (longer term).

“The tactical answer is ransomware and commodity malware. Ransomware is happening across the globe. It’s destructive and a huge problem, threatening trust in the internet. Security builds confidence in the internet. If people were to lose their confidence and no longer trust their bank or online retail shops, then rebuilding trust is something we’re going to have to work on.”

For the longer term, he has a different concern. “If you look into the future, but not so far out, I think Quantum is going to be massive for this sector – and for the Internet. None of our encryption algorithms will work once we have Quantum. None of our security products will work once we have Quantum. And, whoever finally gets there first is going to throw this industry up in the air. We’ll have to work through that pretty quickly to ensure we maintain the integrity of our data and transactions.”

Summing up, he said, “Tactically, it’s going to be ransomware and commodity malware that’s the problem. More strategically but within the foreseeable future, I think quantum computing is going to be very disruptive to the existing security products and standards that we have today.”

Leach is as much concerned about security’s response to threats as to the precise type of threat faced. “I think the biggest problem is that innovation from the attackers is accelerating, and we are not. We cannot continue to do what we are doing – we have a cycle of a 3- to 5-year plan and strategy. If we don’t shorten this, if we don’t go faster, we are in danger of becoming obsolete as individuals. That’s not the role of CISO, but the existing crop of CISOs.”

But there is another problem that stems from within, especially in the technology sector. “There’s an overwhelming number of security product vendors out there. Our constant chasing after the latest shiny object really detracts us from just getting the job done. It’s a difficult issue because we all quite rightly look for new emerging technologies, but there’s so many of them. I cannot operate a bunch of single-purpose solutions in my organization – I don’t have enough people, I don’t have enough budget, and I don’t have enough time. We need to start looking at the interconnectivity of devices, vendors, and what I really think of as a fabric. We need a better integrated security fabric.”

It’s a question of communication between devices. “Take the SIEM,” he said, “which was supposed to solve so many problems. You add a new process, or whatever, and suddenly, you’re re-baselining all over again. So, my SIEM, which was bought to be a problem solver, becomes a millstone around my neck.” The problem, he suggests, is that the vendors are not working together.

His third concern is that security needs to become more resilient. By this he means more than just recovery – for Leach, resiliency involves the anticipation of problems so that they can be avoided or better recovered from. “Resiliency is more than just recovery,” he said. “When we talk about resiliency, people often think it’s just recovery from backups. But no. We need to anticipate failures. The attacks are becoming better, stronger and more specific. We need to be in a position to anticipate and prepare for what the next attacks are going to be like.”

Between them, Intel’s Brent Conran and Cisco’s Chris Leach have painted a picture of the major threats to expect over the next few years, and best practices on how to handle them.

Related: CISO Conversations: Mastercard, Ellie Mae Security Chiefs Discuss the People Problem

Related: CISO Conversations: Verizon, AT&T CISOs Talk Communications Sector Security

Symantec questioned 3,000 European CISOs from the UK, France and Germany. The results (PDF) highlight what many in the security industry will immediately recognize: 82% of CISOs already feel ‘burnt out’; 65% feel that their work and position are set up for failure; 64% consider quitting their job; and 63% have considered leaving the cybersecurity industry altogether.

It is, in short, a highly stressful position. But despite this, 92% are ‘thrilled’ by their work; 92% are fully immersed despite the stress; and 90% are motivated by high pressure situations.

But despite the adrenaline junkie thrill of the job, CISOs remain pragmatic about the effect they can have. They are short-staffed, overwhelmed by the volume of security alerts received, and generally believe that the attackers have a higher skill set than the defenders. This leads to the common belief that it is not if, but when, there will be a breach.

The most interesting part of this report analyzes the ‘after the breach’ change in CISOs’ attitudes. Although 55% of CISOs fear they will be fired if a breach occurs on their watch, and 40% are afraid they will be held personally liable for that breach, nevertheless the experience of navigating an avoidable breach seems to favorably affect the CISO’s outlook.

The survey looked at the impact of known stress factors and compared responses between those (26% of the respondents) who had been through a breach with those that had not. The stress factors included increasing regulation, the alert workload, too much data with too many access points, infrastructure complexity, and the skills gap. On average, only 23% of the experienced CISOs felt that these factors increased their stress levels, while 47% of those that hadn’t experienced a breach felt associated increased stress.

This reduced stress appears elsewhere. “Only 19% of the ‘experienced’ group say they are concerned about [dismissal resulting from a breach] compared to 28% of those who had not been through a breach,” says the report. “They also cite less feelings of personal responsibility for incidents that could have been avoided (22% versus 37%) and are less likely to feel like they’re in a position where they were set up for failure (21% versus 35%).”

The beneficial psychological effect of experiencing a breach continues into job satisfaction. Twenty-three percent versus 47% feel burnt out; 22% versus 42% feel apathy or indifference toward their work; 20% versus 34% consider quitting; and 20% versus 34% consider leaving the industry.

At the same time, however, some of the adrenaline-based excitement of the work seems to dissipate. Far fewer breach-experienced CISOs remain thrilled in their work, fewer feel fully supported by the business, fewer believe they have the opportunity for creative problem-solving, and fewer believe the work provides an opportunity to make an impact/difference on the world.

“This data is fascinating,” comments Darren Thomson, Symantec CTO EMEA, “but it’s important to understand the context — in my experience, those people who have experienced a cyber security breach and come out the other side, become much more sanguine and less emotionally charged in their approach. It doesn’t mean security leaders become less committed to their responsibilities after a major incident. If anything, more of a ‘I’ve seen it all before’ mindset enables them to think more clearly, with a greater focus on longer-term, strategic priorities.”

One of the changes between breach-experienced and unexperienced CISOs noted by the survey is an increased willingness to discuss breach/attack experiences with others. Seventeen percent of experienced CISOs don’t talk to professionals outside of their business, compared to 32% of those who haven’t experienced a breach. Similarly, 14% versus 18% worry that sharing such information might adversely affect their career.

There is no direct data from the survey to suggest that cross-industry information sharing benefits cyber security, but it is a widely held belief supported by the authors. The report notes, “The problem is that there isn’t a substantive culture of sharing insights in the cyber security sector: 54% of respondents don’t discuss breaches or attacks with peers in the industry. Over a third (36%) of security professionals are also worried that sharing information about a breach during their watch — with peers, colleagues or prospective employers — would adversely impact their career.”

It then quotes Dr Steve Purser, Head of Core Operations at ENISA: “Security leaders, and the industry more broadly, need a framework for structured information sharing — whether for ongoing best practice, or as a process for learning from a breach. Enterprises or governments should be set up to handle at least three types of information. The first is strategic information for high level decision making. The second is operational information, used for improving best practices over the longer term. And the third is tactical information, such as indicators of security compromise, used for day to day responses. In each case this information should be shared with the context of a specific goal that’s being addressed.”

The implication is that CISOs do not share information, and that they should do so within a formal structure — that is, despite all other pressures and workloads, they should do something extra. It is possibly the formality of this type of information sharing that is the problem. In practice, CISOs actively seek their peers at conferences and forums, and do talk to each other about problems and solutions — but informally.

Overall, this survey provides an excellent overview of the pressures and difficulties faced by CISOs on a day to day basis. They don’t need to be told this, because they live it daily. The big takeaway for the CISO, however, is the less obvious discovery that not only is there life after a breach, it may well be a more contented life.

Related: Being CISO Is No Longer a Dead-End Job 

Related: How CISOs Can Demonstrate Business Value 

Related: Cisco Publishes Annual CISO Benchmark Study 

Related: An Ode to CISOs: How Real-World Risks Became Cyber Threats 

Cybersecurity complications are expected, but the most common perception is that so far this has been limited to the rise of massive DDoS botnets able to deliver huge attacks — like Mirai — from thousands of compromised IoT devices. A new survey now shows that direct cyber-attacks against IIoT have already started, and that DDoS is not a primary concern to security teams.

The survey, conducted by Vanson Bourne for Irdeto, questioned 700 security decision makers across Connected Health, Connected Transport and Connected Manufacturing, and the IT and technology firms that manufacture devices. Data was gathered in March and April 2019 from China, Germany, Japan, the UK and the U.S.

Eighty percent of these organizations experienced a cyber-attack against their IoT over the last 12 months. The highest rate was in the UK at 86% (three other regions had attacks against more than 80% of respondents), with Japan at the relatively low 60%. Within the industry verticals examined, 82% of healthcare organizations, 79% of manufacturing and production organizations, and 77% of connected transport organizations have experienced an attack.

While attacks against IIoT have already started, organizations have little confidence in the immediate future. Globally, 83% of organizations are concerned about their IoT systems suffering a future cyber-attack (with 32% being ‘very’ concerned). Concern is highest in the UK (91%), with the U.S. at 87%. Japan and China show the least concern at 76% and 77% respectively.

Coupled with these concerns, there is little confidence in the existing device security. Globally, 33% of user organizations believe that device security could be improved to a great extent. Only 2% felt that security could not be improved. Even among the IoT manufacturers, there is little confidence. Forty-one percent of the IoT device manufacturers feel their own device security could be improved to a great extent. This was highest in Germany (49%) and lowest in Japan (32%).

The degree of concern differs between the verticals. Connected transport is most concerned about compromised customer data (35%) followed by loss of customers and operational downtime (both at 15%). Healthcare is most concerned about compromised customer data (39%) followed by compromised end-user safety (20%). Manufacturing and production is primarily concerned with compromised end-user safety (21%) followed by operational downtime (19%).

None of these figures are surprising given the nature of the verticals — except, perhaps, that healthcare is more worried about loss of data than end-user safety (presumably patients). This may reflect the success and effect of HIPAA.

The average cost of an IoT security incident has been relatively low in cyber breach terms — just $330,602. It is highest in connected transport, and lowest in manufacturing and production. This surprises Irdeto. “Itís possible that these organizations may not be taking into account all of the costs associated with a cyberattack, including lost business, costs to correct any vulnerabilities that led to the attack, etc,” it writes. “It is also possible that with IoT proliferation in these industries being in its relative infancy, the current cost of cyberattacks on these devices is not as catastrophic as in other parts of the business. However, if this is the case, the costs will surely skyrocket as IoT devices become more abundant and connectivity continues to increase throughout the business.”

It is fair to say that as IoT becomes more deeply embedded in manufacturing — especially in the operational side — the cost of a serious attack could increase dramatically. When a variant of WannaCry got into the OT network of the Taiwanese TSMC chip fabricator in 2018, it resulted in costs of around $170 million.

The Irdeto survey demonstrates that direct cyber-attacks against IIoT have already started, and that industry is not yet well prepared. In fact, Irdeto found only one promising response: 99% of the respondents agree that a security solution should be an enabler of new business models, and not just a cost. It took IT security many years to come to the same position. It demonstrates, says Irdeto, that “The previous mindset of security as an afterthought is changing, and one of the most promising results of the study found that today’s organizations are thinking even more strategically about security.”

In their newly published State of Federal IT 2018 report (PDF), Accenture reveals that only a few agencies have fully adopted new approaches like cloud computing, digital platforms and agile software development. This reveals gaps that many agencies are facing in supporting more-agile operations.

According to the survey, IT organizations are making progress in modernizing technology systems and infrastructures, yet 70% of the responding IT decision makers say they’re still playing an enabling role within their agency.

Only 47% of them believe they’re effectively contributing to mission agility (integrating, automating, and digitizing key processes and services), but 67% believe they can protect the agency from insider threats/security breaches. 66% say they can protect it from outsider threats/cyberattacks.

The report, which received responses from 200 federal IT executives, reveals that only 39% of the respondents believe they’re able to transform mission and business requirements into compelling business cases for new IT investment.

The research unveiled a focus on modernizing IT operations rather than on deploying capabilities to directly empower mission and business stakeholders. 54% of respondents consider commercial cloud infrastructure as either very important or essential to accelerating IT impact, and 40% say the same about software-as-a-service applications.

Regardless, commercial cloud adoption among federal agencies remains low. More than half (54%) of the survey respondents admitted to running only 25% or less of their infrastructure in the cloud.

Although federal agencies tend to focus on IT investments, the respondents cited lack of funding (48%), cybersecurity concerns (44%) and a reliance on legacy IT (40%) as challenges to technology adoption. 28% of government executives said digital skills shortage was a barrier.

The report also outlines three key principles that are critical to IT modernization, which should help federal agencies in their journey to implementing new technologies.

These include the fact that IT leaders must use their understanding of technology’s potential to help their agencies improve their capabilities. New partnerships and collaborations are needed, as well as readiness for constant change, given the pace at which technology advances.

“Enterprises recognize as fundamental the need to digitize their operations to become more scalable, efficient, adaptive, innovative, and precise. This is equally true for federal agencies. To thrive in this new era, federal IT leaders must prepare for dramatic changes in how they operate and deliver value,” the report reads.

Related: Many Federal Agencies Fail to Meet DMARC Implementation Deadline

Related: Senator Urges Federal Agencies to Ditch Adobe Flash

The industry is looking toward the promise of AI tools to stay a step ahead of the cybercriminals. Experian’s 2018 annual Data Breach Preparedness Study found just 31% of respondents were confident in their organization’s ability to recognize and minimize spear phishing incidents, and just 21% were confident in their organization’s ability to deal with ransomware. Malware and cyberattacks evolve over time. ML uses data from previous cyberattacks, leveraging what it knows and understands about past attacks and menaces to identify and respond to newer, similar risks. The thinking also goes that AI and ML will help save time for overburdened IT departments.

The threat comes from the bad guys also employing AI to create more sophisticated attacks, enhancing traditional hacking techniques like phishing scams or malware attacks. For example, cybercriminals could use AI and ML to make fake e-mails look authentic and deploy them faster than ever before. Criminals could apply AI to develop mutating malware that changes its structure to avoid detection. AI could scrub social media for personal data to use in phishing cons. Data poisoning is another danger, in which attackers find out how an algorithm is set up, then introduce false data that misleads on which content or traffic is legitimate and which is not.

A lesser threat comes from within the industry, as companies rush to market with so-called AI cyber security tools. There is a difference between AI and machine learning. ML algorithms train on large data sets to “learn” what to look for on networks and how to respond to various scenarios. Generally, ML needs new training data to calculate and reach new conclusions, while a true AI system does not.
Some products are based on “supervised learning,” requiring the data sets that algorithms are trained on to be chosen and labeled, by tagging malware code and clean code, for example. Some vendors are using training information that hasn’t been thoroughly scrubbed of erroneous data points, which means the algorithm won’t catch all attacks. Hackers could switch tags so that some malware is designated as clean code, or simply figure out the code the ML is using to flag malware and delete it from their own, so the algorithm doesn’t detect it.

Given the fast-changing landscape, here are some tips to realize the enormous potential of AL and ML and still protect your organization.

Resist the hype. AL and ML are the hot buzzwords and technologies of the moment. But there’s also a great deal of confusion. According to ESG Research, just 30% of cybersecurity professionals feel they are very knowledgeable about AI and ML and their application to cybersecurity analytics. When purchasing an AI or ML tool, try to do your research and understand what you’re buying so that it’s an effective and appropriate solution for your organization.

Keep a human involved in the process. There used to be an old IT truism of bad data in, bad data out. The “intelligence” in AI is based on data inferences and correlations, which need to be checked and monitored so the model is addressing risks appropriately and evolving as you need. ML systems shouldn’t be totally autonomous. They should be set up with a human in the loop, and the ML should know to ask for help with presented with an unfamiliar situation.

Have a strong data breach plan. According to Experian’s Data Breach Preparedness Study, 88% of organizations have a data breach response plan in place, but less than half (49%) think it is effective or highly effective. If you have a plan, it shouldn’t just sit on a shelf. Make sure that it is robust, with buy-in from all the key departments of your company, and drill on it early and often. If you need to get started on a plan or refine it, Experian’s updated Data Breach Response Guide can serve as a resource.

AI and ML are the wave of the future. But the cyber threats are real now, and so are the limitations of the technology as a foolproof protection tool. Be aware, both of what’s ahead from the cybercriminals and how you’re applying AI solutions, so you’re not lulled into a false sense of security.

About the Author: Michael Bruemmer is Vice President of Experian Data Breach Resolution, which helps businesses mitigate consumer risk following data breach incidents.

(Kevin Townsend – SecurityWeek) – The finance sector has one of the most robust cybersecurity postures in industry. It is heavily regulated, frequently attacked, and well-resourced — but not immune to cybercriminals. Ninety percent of financial institutions were targeted by ransomware alone in the past 12 months.

Endpoint protection firm Carbon Black surveyed the CISOs of 40 major financial institutions during April 2018 to understand how the finance sector is attacked and what concerns its defenders. Two things most stand out: nearly half (44%) of financial institutions are concerned about the security posture of their technology service providers (TSPs — the supply chain); and despite their resources, only 37% have established threat hunting teams.

Concern over the supply chain is not surprising. Cybercriminals are increasingly attacking third-parties (who may be less well-protected or have their own security issues) to gain access to the primary target. The Federal Deposit Insurance Corporation (FDIC) is also concerned about the supply chain, and has developed an examination process that includes reviewing public information about the TSPs and their software.

One of the areas that concerns the FDIC is consolidation within the service provider industry. “For example,” it notes, “a flawed acquisition strategy may weaken the financial condition of the acquirer, or a poorly planned integration could heighten operational or security risk.”

Carbon Black recommends that this potential risk be countered by hunt teams and defenders closely assessing their TSP security posture. But, it adds, “Given that 63% of financial institutions have yet to establish threat hunting teams, there should be concern regarding limited visibility into exposure created by TSPs.”

But it also considers threat hunting to be important in detecting direct attacks. There are two primary reasons. The first is the increasing tendency for attackers to use fileless attacks that are not easily detected by standard technology; and the second is a growing willingness for attackers to engage in counter-countermeasures; that is, to counter the defender’s incident response.

Fileless attacks are increasing across all industry sectors. A typical attack might involve a Flash vulnerability. Flash invokes PowerShell, feeding instructions via the command line. PowerShell then connects to a stealth C&C server, from where it downloads a more extensive PowerShell script that performs the attack. All of this is done in memory — no malware file is downloaded and there is nothing for traditional technology defenses to detect.

“Active threat hunting,” says Carbon Black, “puts defenders ‘on the offensive’ rather than simply reacting to the deluge of daily alerts.” It “aims to find abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data. Though the concept of threat hunting isn’t new, for many organizations the very idea of threat hunting is.”

But the need for threat hunting goes beyond simple detection of intrusion. “Attackers are able to go off their scripts while defenders are sticking to manual and automated playbooks,” warns Carbon Black. “These playbooks are generally based off simple indicators of compromise (IoCs). As a result, security teams are often left thinking they have disrupted the attacker but, with counter incident response, attackers maintain the upper hand.”

Compounding this, attackers are beginning to incorporate a secondary command and control in case one is discovered or disrupted. Carbon Black notes that this tactic has already been found in 10% of victims, and predicts it is a tactic that will grow in future months. The principal is that an attacker’s ability to improvise and change directions at speed is best countered by a human defender rather than simply a pre-programmed set of incident response steps.

“Financial institutions,” suggests Carbon Black, “should aim to improve situational awareness and visibility into the more advanced attacker movements post breach. This must be accompanied with a tactical paradigm shift from prevention to detection. The increasing attack surface, coupled with the utilization of advanced tactics, has allowed attackers to become invisible. Decreasing dwell time is the true return on investment for any cybersecurity program.”

In reality, of course, this does not just apply to the finance sector. The same evolving methodology is being used by attackers across all industry sectors. The need for threat hunting is not limited to finance. “All sectors should take heed,” Carbon Black chief cybersecurity officer Tom Kellerman told SecurityWeek. “Generally speaking, financial services tend to be the most secure as they’ve come under attack with high-profile attack campaigns in recent years.” The implication is that if the finance sector is slow to switch to active threat hunting, other sectors will be slower.

In April 2018, Carbon Black filed an S-1 registration statement with the U.S. Securities and Exchange Commission (SEC) for a proposed initial public offering (IPO) of its common stock. Shares of the company (NASDAQ: CBLK) jumped 26% on its first day of trading on May 4. The company has a market capitalization of nearly $1.6 billion at the time of publishing. The company emerged in its current form after its purchase by Bit9 in February 2014.

(Kevin Townsend – SecurityWeek) Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 — which (at the time of writing) is still without resolution.

Precise details on the Atlanta contracts are confused and confusing — but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn’t include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.

The ransomware used in the attack was SamSam. In February this year, SecureWorks published a report on SamSam and attributes it to a group it knows as Gold Lowell. Gold Lowell is unusual in its ransomware attacks since it typically compromises its victim networks in advance of encrypting any files.

SecureWorks makes two specific points about Gold Lowell that might be pertinent to the Atlanta incident. Firstly, “In some cases where the victim paid the initial ransom, GOLD LOWELL revised the demand, significantly increasing the cost to decrypt the organization’s files in an apparent attempt to capitalize on a victim’s willingness to pay a ransom.” Atlanta officials have always declined to comment on whether they paid, or attempted to pay, the ransom

Secondly, “GOLD LOWELL is motivated by financial gain, and there is no evidence of the threat actors using network access for espionage or data theft.” Atlanta officials were quick to claim that no personal data was lost in the attack.

Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers — which sound like the Gold Lowell group — had previously compromised them.

The extended dwell time by the Gold Lowell group prior to encrypting files and making a ransom demand would explain the extreme difficulty that Atlanta is experiencing in trying to recover from the attack. The Hancock incident suggests that rapid payment might have resulted in file recovery, but SecureWorks also suggests it might have led to a further demand.

There are also indications that Gold Lowell’s dwell time could have been extensive and effective. According to WSB-TV, Atlanta officials had been warned months in advance that at least one server was infected with malware, and that in February it contacted a blacklisted IP address associated with known ransomware attacks. Whether the incidents are directly connected will only come out with forensic analysis.

However, the few facts that are known raises a very complex ethical issue. Atlanta seems to have chosen to pay nearly $3 million of taxpayer money rather than just $51,000, possibly on a point of principle. That principle is supported by law enforcement agencies around the world who advise that ransoms should not be paid. In this case, the sheer disparity between the cost of the ransom and the ransomware restitution (more than 50-to-1 and growing), all of which must be paid with someone else’s money, makes it reasonable to question the decision.

There is no simple answer. Atlanta does, however, get almost unequivocal support from the CISO of another U.S. city, who spoke to SecurityWeek requesting anonymity. “Unless paying the ransom provided details of how they were breached, what would it really get them?” he asked. “Firstly, they don’t know if they would actually get the decrypt keys; secondly, they don’t know if they would simply get hit again; and thirdly, it would only encourage more of the same kind of action.

“By bringing in emergency support,” he continued, “they probably now have a much better picture of their security posture, most likely have cleaned up a number of issues, and are now on track to pay more attention to this business risk.” His only criticism is that the money should have been spent to prevent ransomware rather than to recover from it. “The real lesson,” he said, “is for probably 10-20% of the cost of the emergency support they could have brought in the same people to help with the same issues prior to the incident. Would that guarantee it would not happen? No — but it would improve the odds greatly, would limit the damage done, and improve recovery efforts if it happened.”

Ilia Kolochenko, CEO of web security company High-Tech Bridge, has a different view. “The ethical dilemma whether to pay or not to pay a ransom becomes very complicated today. This incident is a very colorful, albeit sad, example that refusing to pay a ransom may be economically impractical and detrimental for the victims.”

He agrees that Atlanta should have been better prepared. “Taking into consideration the scope and the disastrous consequences of this incident, one may reasonably suggest that Atlanta has a lot of space for improvement in cybersecurity and incident response. Spending 50 times more money to remediate the consequences of the attack, instead of investing the same money into prevention of further incidents, is at least questionable.”

But he disagrees with one of the primary arguments of those who advocate not paying. “Refusing to pay a ransom is unlikely to demotivate cybercriminals from conducting further attacks, as they will always find someone else to pay.”

In the final analysis, he believes that each case needs to be decided on its own merits, but adds, “In some cases, paying a ransom is the best scenario for a company and its economic interests. Otherwise, you risk spending a lot of valuable resources with no substantial outcome.”

The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled more than 100 of its 7,000 global members to produce the first of its planned annual CISO Cybersecurity Trends Study. ISACs are non-profit organizations, usually relevant to individual critical infrastructure sectors, designed to share threat information among their members and with relevant government agencies. They were born from Bill Clinton’s 1998 Presidential Decision Directive PDD 63.

The FS-ISAC’s 2018 Cybersecurity Trends Report (PDF) notes a distinction in priorities based on the individual organization’s reporting structure. Where CISOs report into a technical structure, such as the CIO, the priority is for infrastructure upgrades, network defense and breach prevention. Where they report into a non-technical function, such as the COO or Legal, the priority is for staff training.

This could be as simple as CISOs prioritizing areas for which they are most likely to get funding. However, that staff training is considered the overall priority does not surprise Dr. Bret Fund, founder and CEO at SecureSet.

Request an invite to SecurityWeek’s CISO Forum

“I think that speaks to CISOs seeing first-hand how their largest risks of breach rest in the people component vs. the product or process components,” he suggests. “Executives and Boards cannot underestimate the need for a robust security culture inside their organizations; and the way that you achieve that is through proper education and training.”

Dan Lohrmann, chief security officer at Security Mentor, agrees. “The mission-essential business aspects that end user security awareness training is now playing in global financial organizations must be front and center surrounding around all data handling and incident response.” He recommends metrics-based training so that progress can be monitored.

The report finds no common reporting structure within financial organizations. Only 8% of CISOs report directly to the CEO. Sixty-six percent report to the CIO (39%), the CRO (14%) or the COO (13%). Despite these differences, there appears to be no impact on the frequency of reporting to the board of directors on cybersecurity.

Reporting most frequently occurs every three months (54% of CISOs). Eighteen percent report every six months, and 16% report annually. Only 6% report monthly.

There is no indication within the report on structural trends, which could provide an insight into the evolving role of the CISO. Greg Reber, CEO at AsTech, thinks this is an omission. “At AsTech, we see moves away from CISOs reporting to CIOs, as the incentives can be at odds,” he explains. “CIOs may need to get things done quickly to realize financial goals — moving processing to the cloud environments for example — while CISOs are chiefly concerned with risk management.”

He also notes a failure to comment on cyber risk insurance. “This falls into an ‘event response’ category, which we see as a top priority. However, it didn’t appear in the top three responses in this survey.” Reber equates ‘cyber defense’ with a Maginot Line philosophy, and believes resources should be balanced between defense and response.

“This report from FS-ISAC highlights the continued need for cyber awareness and vigilance from staff,” comments Stephen Burke, founder and CEO at Cyber Risk Aware. “Hackers are great at exploiting human nature, using social engineering tactics to gain their victims’ trust. Once they can get through defense and onto a user’s machine they may use sophisticated methods to stealthily move laterally across a network stealing data or credentials.”

FS-ISAC’s recommendations to its members based on its survey findings is that staff training should be prioritized regardless of the reporting structure. “People can be the solution to these growing online risks, or they can be contributors to the growing level of security problems,” says Lohrmann. “Effective security awareness training will enable the enterprise to successfully stop cyberattacks.”

Venture and M&A

Security awareness firms have been the subject of significant funding and M&A transactions in recent months.

Earlier this month, security awareness training firm Wombat Security agreed to be acquired by Proofpoint for $225 million in cash. In August 2017, Webroot acquired Securecast, an Oregon-based company that specializes in security awareness training. In October 2017, security awareness training and simulated phishing firm KnowBe4 secured $30 million in Series B financing, which brought the total amounbt raised by KnowBe4 to $44 million. Security awareness training firm PhishMe has raised nearly $58 million in funding, including a $42.5 million series C funding round in July 2016.