The role of the Chief Information Security Officer (CISO) has evolved significantly over the past decade as cyber threats have diversified and proliferated. With IT now integral to every aspect of business and mission operations, CISOs carry great responsibility in the ongoing battle to keep their organizations safe from an endless stream of attacks.

Given how quickly both the attack surface and the threat environment change, it can be challenging for CISOs to keep up with what is happening beyond their home borders. To help, this study offers the kind of insights CISOs have long been asking for — to benchmark their situation and experience against others; to learn from what their peers are doing and planning to do; and to validate ideas and obtain solid data to justify investments in these areas.


This study utilized a two-part methodology. First was a quantitative survey that was designed with guidance from a Board of CISOs working at private and public sector organizations in the United States, Canada, Europe, Australia and Asia. Respondents were recruited through direct relationship with CISOs Connect and from a well-screened panel. We received 411 survey completions from respondents identifying as CISOs or CISOequivalent across a broad range of industry sectors. All responses were anonymous.

Additionally, we conducted in-depth discussions with members of our Board to get detailed perspectives on their experiences as CISOs defending their organizations from rampant cyber threats. These individuals are particularly known for their strong technical and business acumen. You will find insights and best practice recommendations from them throughout this report.


  1. The battle is not easing. Ransomware, phishing/spear phishing, and supply chain attacks stand atop the list of threats that concern CISOs the most. The great majority of CISOs see the threat landscape as worse than a year ago; 75% confirm being hit during that period at least once but as many as five times by a cyber attack that caused material damage. Midsized organizations especially bear the brunt, with 67.5% of organizations having between 1,000 and 4,999 employees and 62.2% having between 5,000 and 10,000 employees being hit by multiple attacks that caused material damage. However, no organization is safe from attack.
  2. CISOs recognize current limitations. They feel more confident in their ability to detect cyber attacks than to prevent or respond to them. They also struggle with quantifying the cybersecurity domain, from the ROI of their initiatives to the overall financial risks and even the cumulative impacts of an incident.

To read full download the whitepaper:


Leave a Reply

Your email address will not be published. Required fields are marked *