Posted on by Letitia Lim

UK CISO Outlook: 7 Areas to Prioritize in 2024

CISOs in the UK faced giant hurdles this year, from the persistent skills shortage and budget limitations to advanced cyberattacks and economic uncertainty. Despite these challenges, CISOs still had to fulfill the critical role of protecting their organization’s digital assets and driving cybersecurity investments. According to research by ECI Partners, CISOs are the most in-demand leadership role in the UK, and that demand will remain for the next five years.  

As the year draws to a close, what should UK CISOs prioritize in 2024 to ensure their organization is prepared for the evolving cybersecurity landscape? This article uncovers 7 key focus areas for UK CISOs to add to their agenda. 

 

1. BOLSTER CYBER RESILIENCE MEASURES  

According to PwC’s Cyber Security Outlook 2023, 90% of UK senior executives ranked the increased exposure to cyber risk due to accelerating digital transformation as the biggest cybersecurity challenge for their organization. Cyber risks trump other risks associated with inflation, macroeconomic volatility, climate change, and geopolitical conflict. 25% of UK business leaders are also bracing for their company to be highly exposed to cyber risks over the next five years.  

The Cyber Breaches Survey 2023 by the Department for Science, Innovation & Technology highlights the measures taken by large UK businesses to curb cyberattacks

  • 63% have undertaken cybersecurity risk assessments in the last year  
  • 72% have deployed security monitoring tools 
  • 55% are insured against cybersecurity risks 
  • 55% review the risks posed by their immediate suppliers 
 

Cybersecurity leaders at Dell and Accenture also suggest 3 key actions to CISOs to support cyber resilience and speed up recovery if attacked: 

  • Implement a “lifeboat” scenario: Review technology dependencies, identify critical processes and assets, understand RTO/RPO requirements, and implement and regularly test recovery processes. That way, organizations can maintain operations if they suffer from a cyberattack.  
  • Ensure the obligations of third parties align with the organization’s requirements: Identify which critical processes and assets are managed by third-party vendors, validate the scope and liabilities of contracted services, and ensure they align with the organization’s requirements. 
  • Test the organization’s recovery capabilities: Employ external experts to simulate attacks on the organization’s defenses. Oversee how the IT and the business team would react and provide guided recommendations for improved security posture and resilience. 
 

2. MAXIMIZE CLOUD SECURITY INVESTMENTS  

MAXIMIZE CLOUD SECURITY INVESTMENTS  

As multicloud environments become more prevalent across industries, so do the cyber risks associated with them. PwC’s Cyber Security Outlook 2023 highlighted the top cybersecurity concern among UK business leaders: cloud-related threats.  39% of CISOs expect cloud-related threats to affect their organization the most. Cloud security threats pose the most risks compared to threats from laptop and desktop endpoints, web applications, and software supply chain. Therefore, it makes sense that UK CISOs are allocating the most budget to cloud security.  

According to findings by Cybersecurity in Focus, the top 3 expenditure areas among UK CISOs are: 

  • 25% Cloud security  
  • 20% Identity access management  
  • 18% Security and vulnerability management  
 

Let’s look at how cloud security investments have paid off in the UK’s public and private sectors: 

  • The Houses of Parliament appointed Ascentor to create a new information assurance process to address the increasing use of cloud-based solutions. Ascentor introduced a risk appetite statement and three different assurance paths based on information sensitivity. The assurance process is now well-established, and risks are regularly reappraised and managed. 
  • Bravura chose Vodafone Cloud and Security as its hosting and connectivity partner to ensure the protection of business-critical data. Vodafone Cloud managed primary and backup hosting and fixed connectivity and security, freeing up the IT team’s time and increasing efficiency.  
  • The UK Data Service faced the challenge of providing access to big data while meeting stringent privacy and security requirements. Therefore, the government body deployed solutions from Amazon Web Services (AWS) to offer a seamless and powerful search and analytics experience, enabling them to query any concept held in the data lake at the cell level and enrich data for better insights. 
  • University of Sunderland sought help from CrowdStrike to modernize its cloud security systems after experiencing a data breach. CrowdStrike offered an effective solution to secure the university’s 5,000 endpoints with little administrative overhead with its unique combination of technology, threat intelligence, and skilled expertise.  
 

3. SECURE BIGGER CYBERSECURITY BUDGETS 

73% of CISOs predict that economic instability will negatively impact cybersecurity budgets (Proofpoint). Another report by iomart and Oxford Economics, Security’s Lament: The state of cybersecurity in the UK 2023, supports this, finding that UK businesses that experienced budgetary constraints suffered a 25% increase in cyber incidents.  

27% of organizations think their cybersecurity budget is inadequate to combat growing cyberthreats.  

Smaller budgets are hindering meeting cybersecurity goals and causing blind spots in cyber strategies. In addition, increasing cyber insurance premiums are taking a toll on overall budgets.  

On the other hand, a study by BSS, How CISOs can succeed in a challenging landscape, found that although 61% of CISOs reported increased funding, it was paired with unrealistic expectations and a lack of understanding by budget holders on business threats. Interestingly, 78% of CISOs only received extra funding after the organization experienced high-profile cyberattacks. This has led 55% of CISOs to use the funding to put out immediate fires instead of long-term investments in security solutions.  

 

Here are several strategies UK CISOs can take to seek more funding from the board:  

  • Get support from other C-suites: By getting back up from the CFO and CEO, CISOs can understand business risks better to frame their funding requests. They can also reach out to colleagues in the purchasing and business units that will benefit from the extra funding. 
  • Demonstrate ROI, TCO, and the bottom line: Communicating these three areas is crucial in securing cybersecurity funding. CISOs must take this opportunity to explore the right tools that can help illustrate the effectiveness and value of their security programs to the board.  
  • Calculate the cost of not implementing security technology: To get the board’s attention, CISOs must calculate and communicate the financial risk of not implementing the security solution, including the likelihood and impact of a breach. 
  • Understand the board’s risk appetite: How much expense the board is willing to incur in the event of a worst-case scenario varies depending on the organization’s industry, risk tolerance, cyber insurance coverage, data sensitivity, and regulatory environment. 
 

4. IMPROVE RELATIONSHIP WITH THE BOARD 

As cybersecurity-related matters align more closely with business strategy, communication between CISOs and board members is paramount.  Only 9% of CISOs state that information security is a top priority in the boardroom’s meeting agenda. 

Additionally, a mere 22% of CISOs participate in business strategy and decision-making (BSS). Board members are also not as concerned about the susceptibility of the organization to future cyberthreats. A whopping 79% of UK CISOs are worried about their liability in the event of a cybersecurity incident, while the board is more nonchalant; only 54% of directors expressed similar concerns.  

 

According to cyber risk management leader Bitsight, CISOs can improve board relationships with:  

  • Ongoing communication: Regular open communication with the board on the organization’s cybersecurity posture, emerging threats, and the status of ongoing security initiatives is beneficial. This communication may be quarterly or semi-annual, depending on the needs of the organization. 
  • Educational engagement: CISOs can provide the board with resources and updates on cybersecurity risks, their impact on the organization, and the measures being taken to mitigate them. This is especially important for board members without a technical background. 
  • Risk reporting: Cybersecurity risks must be presented in the context of business risks. Explaining the potential impact of cybersecurity vulnerabilities on reputation, financial stability, and regulatory compliance can help the board understand the importance of cybersecurity investments. Risk assessments, metrics, and KPIs can be used to illustrate the potential impact. 
  • Cybersecurity governance framework: This is a valuable tool for outlining the roles and responsibilities of the CISO, management, and the board in cybersecurity decision-making, budget approval, and incident response. 
  • Incident response planning: The board should be involved in the development and testing of incident response plans. Board members must be aware of the roles they play in managing and overseeing the response. 
  • Vendor and third-party risk management: The CISO should strategically manage and reduce risks associated with third-party vendors to increase the board’s confidence. The board should be informed of these risks and how the organization is mitigating them. 
 

5. NAVIGATE COMPLEX CYBERSECURITY REGULATIONS 

The UK’s cybersecurity regulation landscape is complex as the country does not have one unified cybersecurity law. Rather than a single regulation, UK organizations have to refer to a myriad of existing legislations and adapt them to their organization’s cybersecurity needs.  

However, UK companies are receptive to the implementation of data privacy regulations. 59% are very prepared for the Global Data Protection Regulation (GDPR) in the UK and EU, as well as the Data Protection Act 2018 (DPA), according to the 2023 Global Data Privacy Law Survey Report by Womble Bond Dickinson. UK respondents are also more comfortable about the impact of privacy regulations on their ability to conduct cross-border business, with 40% stating that they are willing to cover the extra costs incurred by the regulations. However, another study found that 29% of UK CISOs are frustrated with changing regulations. 64% of CISOs comment that regulations change before they can meet previous requirements (BSS).  

 

UK CISOs can do the following in the meantime: 

  • Identify which cyber laws the organization needs to comply with by conducting extensive research or hiring a security expert. This includes international regulations if the company serves customers worldwide.  
  • Create an Information Security Management System (ISMS) with processes the company needs to comply with. Refer to international standards such as ISO 27001 that can provide a suitable framework. 
  • Keep the board informed on evolving cybersecurity regulations and ensure the organization remains in compliance. This includes discussing the potential legal and financial implications of non-compliance. 
 

6. BOOST UPSKILLING AND TRAINING PROGRAMS 

A September 2023 report from the Public Accounts Committee (PAC) warns that a lack of cybersecurity experts in the UK government should be of significant concern. Additionally, 48% of respondents agree that their organization suffers from a lack of expertise. 62% noted at least a quarter of their permanent headcount isn’t based in the UK, which highlights a deficit when it comes to knowledge of local regulations, compliance, and risk.  

According to a report by the Chartered Institute of Information Security (CIISec), most also claim the industry is facing a shortage of skills rather than people, hinting that better training could help alleviate challenges in this area. Research by Robert Walters concludes that the greatest shortages will be felt in Yorkshire (73%), London (62%) and the North (55%). Additionally, cybersecurity (56%) is the most sought-after skill in organizations. Instead of taking on the task of training and upskilling existing staff themselves, CISOs can seek support from third parties who offer cybersecurity training.  

For example, BT partnered with CAPSLOCK, an accredited cybersecurity boot camp, to retrain 30 employees over 17 weeks. They wanted to make clear that employees don’t need prior IT or security qualifications to break into the industry. Eight months after the boot camp, all learners are working in cyber roles at BT, aligned with their strengths and achievements in the program. Those who excelled in governance topics were assigned roles in governance and assurance, while those who performed well in technical modules are working in fields such as DDoS, security architecture and design, and forensics. 

 

7. IMPROVE SELF-RESILIENCE AND BUILD A SUPPORT TEAM 

According to a study by Proofpoint, 74% of UK CISOs are experiencing unreasonable job expectations and overwhelming responsibilities. 79% are concerned about personal liability and 74% have experienced burnout in the past 12 months. Furthermore, 8% of UK CISOs work more than 55 hours per week, which is considered “a serious health hazard” by the World Health Organization (WHO).” Worryingly, 50% of respondents say their workload keeps them awake at night, more so than suffering from a cyberattack (CIISec). 

 

Global Resident CISO for Proofpoint, Lucia Milică Stacy, suggests the following on how organizations can support their cybersecurity leaders

  • Bring in cybersecurity experts on the board who understand what the organization and the cybersecurity team grapple with.  
  • Establish a cybersecurity risk oversight committee to interpret cyber risk and how it affects the broader business goals and the valuation of the organization.  
  • Make sure CISO’s frustrations are heard by the board so there is transparency on the threats the organization faces, as well as what the security team goes through to fight those threats. 
 

In addition, CISOs can reduce stress and the possibility of burnout by delegating tasks to other team members, leveraging time-saving tools and technologies to automate menial tasks, and seeking support from other cybersecurity leaders who share the same challenges by joining business networks and attending industry events.  

 

By focusing on these seven areas, UK CISOs can better protect their organizations from unprecedented risks in the years to come.  However, it is important to note that CISOs cannot do this alone. CISOs are under immense pressure, and it is important for organizations to recognize the critical and stressful nature of their role. The board and executive team must equip CISOs with enough support and resources, in addition to recognizing and rewarding CISOs for their contributions. 

Leave a Reply

Your email address will not be published. Required fields are marked *