Reactive Security Strategy Poses Significant Challenge for CISOs

Published September 20, 2017


Nathan Misner
Sr. Director of Global Communications
F5 Networks
(206) 272-7494

Holly Lancaster
WE Communications
(415) 547-7054

New research from F5 finds only 51% of companies have an established IT security strategy

SINGAPORE – Today at Singapore International Cyber Week, F5 Networks (NASDAQ: FFIV) released a comprehensive report on the evolving nature of the CISO role and the IT security approaches organizations around the world are taking in today’s constantly shifting threat landscape. The report finds that as IT security increasingly becomes a priority, CISOs’ influence within companies is growing; however, security strategy in many organizations is still largely reactive and not yet aligned with business functions.

Conducted by the Ponemon Institute, the findings are based on interviews with senior-level IT security professionals at 184 companies in seven countries: The United States, the United Kingdom, Germany, Brazil, Mexico, India, and China.

“This research provides a unique view into how CISOs are operating in today’s challenging environment,” said Mike Convertino, Chief Information Security Officer at F5. “It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. But in many organizations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”

Key Findings

  • Responsibility growing for CISOs – Although CISOs have varying degrees of influence among upper management in their organizations, most CISOs are influential in managing their companies’ cybersecurity risks, and their impact is growing. Sixty-eight percent of respondents say CISOs have the final say in all IT security spending, while a slightly smaller number (64%) say they have direct influence and authority over all security expenditures in their organizations. Eighty-seven percent of respondents say the IT security budget has increased significantly (18%), increased some (29%), or has not changed (40%).
  • Alignment lacking with business – An IT security strategy that spans the entire company is still very rare. Fifty-eight percent of respondents indicate IT security is a standalone function and only 22% say security is integrated with other business teams, while 45% say their security function does not have clearly defined lines of responsibility. Seventy-five percent of respondents say that due to the lack of integration with business functions, turf and silo issues have either a significant influence (36%) or some influence (39%) on IT security tactics and strategies.
  • Recognition of security as a business priority is reactive – Sixty percent of respondents believe their organizations consider security to be a business priority, yet only 51% say their organization has an IT security strategy, and of those only 43% say that strategy is reviewed, approved, and supported by other C-level executives. The findings indicate that change in security programs is largely reactive, with material data breaches (45%) and cybersecurity exploits (43%) the top two events that get attention from other senior executives.
  • Crises driving influence with executive leadership – Sixty-five percent of respondents say CISOs communicate directly with senior executives, but rarely is it strategic discussion of all threats to the organization. Respondents also acknowledged limited executive communication around security events, with 46% stating that only material data breaches and cyber attacks are reported to the CEO and board of directors, while just 19% report all data breaches to this group.
  • AI is a potential solution to staffing needs – A talent shortage in IT security continues to loom large for CISOs. The average headcount of IT security personnel will increase from 19 to 32 full-time (or equivalent) employees over the next two years, with nearly half (42%) feeling their current staffing is not adequate. Fifty-eight percent say they have difficulty hiring qualified security personnel, with the biggest challenges identifying and recruiting qualified candidates (56%) and an inability to offer a market-level salary (48%). These challenges are pushing companies to look elsewhere for solutions – half of respondents (50%) believe computer learning and artificial intelligence can address staffing shortages, and 70% believe these technologies will be important to their IT security functions in two years.

About F5

F5 (NASDAQ: FFIV) makes apps go faster, smarter, and safer for the world’s largest businesses, service providers, governments, and consumer brands. F5 delivers cloud and security solutions that enable organizations to embrace the application infrastructure they choose without sacrificing speed and control. For more information, go to You can also follow @f5networks on Twitter or visit us on LinkedIn and Facebook for more information about F5, its partners, and technologies.

F5 is a trademark or service mark of F5 Networks, Inc., in the U.S. and other countries. All other product and company names herein may be trademarks of their respective owners.

# # #

This press release may contain forward looking statements relating to future events or future financial performance that involve risks and uncertainties. Such statements can be identified by terminology such as "may," "will," "should," "expects," "plans," "anticipates," "believes," "estimates," "predicts," "potential," or "continue," or the negative of such terms or comparable terms. These statements are only predictions and actual results could differ materially from those anticipated in these statements based upon a number of factors including those identified in the company's filings with the SEC.