Inside the Mind of a CISO 2024 is a survey of 209 security leaders commissioned by Bugcrowd and undertaken by Quest Mindshare. The purpose is to understand the thinking and operational methods and motivations of the modern CISO.
It’s a massive subject. Many of its conclusions could be predicted and many can be questioned. In the latter category, the report notes that more 30% of the respondents consider ‘building a security brand for competitive advantage’ as their #1 priority. Agnidipta Sarkar, VP CISO Advisory at ColorTokens, comments on this: “The latest Bugcrowd report reveals a concerning state of cybersecurity. Only 18% of security leaders prioritize ‘avoiding breaches at all costs’, while more than 30% are striving for the unrealistic goal of ‘building a security brand for competitive advantage’.”
Bugcrowd’s own analysis of the data it collected is highlighted within ‘five CISO myths debunked’. Whether all of these are genuine myths is debatable.
The first myth is the idea that CISOs are opposed to ethical hacking. They are not. “Seventy-three percent of security leaders view ethical hacking in a favorable light, and 75% of them have actually engaged in it themselves.”
This should be no surprise. If the CISO must commit scarce resources to buying a new product, it is only realistic that he or she will examine that product very carefully, both before purchase and in use. No CISO is likely to simply believe what the vendor says.
The second myth is CISOs are mainly management professionals. “Seventy-six percent of CISOs have worked in 3 to 10 cybersecurity roles,” says the survey. Again, this should be no surprise. SecurityWeek’s own CISO Conversations series demonstrates repeatedly that while business acumen must be acquired, technical know-how remains the bedrock of security.
The third myth is that CISOs are only needed in large organizations. “Twenty percent of CISOs lead teams with fewer than 10 members, showing that even smaller teams benefit from the high-level strategizing of a CISO.” It is difficult to criticize this statement.
The debunked fourth myth is that CISOs are unprepared for AI. “Ninety-five percent of CISOs are already implementing AI-based defensive measures, namely crowdsourced testing, pen testing, and color teaming.”
The debunked fifth myth is that CISOs all believe in the value of AI. “Fifty-eight percent of CISOs believe that the risks of AI outweigh its potential benefits, while 42% believe in the potential of AI, indicating that there is no consensus on this issue.”
AI is a complex subject discussed at length in the report. The statistics returned are, frankly, confusing and sometimes contradictory. This is not surprising since AI is a nascent technology that is little understood, even by scientists, never mind security professionals. So, it is questionable to claim that CISOs are prepared for AI simply because they are using something that they probably do not understand. Furthermore, justifying this statement with the use of crowdsourced testing (itself one of several subtle advertisements for Bugcrowd’s own services) is more indicative of the pentesters’ preparedness for AI than the CISOs’ preparedness for it.
The fifth myth on the value of AI is irrelevant: AI is what it is, it is here, and it is here to stay. What nobody really understands is how it will evolve, either offensively or defensively. This confusion is confirmed in the report (PDF) by two statistics: 65% of respondents believe that existing solutions are adequate to secure AI, while 76% say the AI landscape is evolving too rapidly to secure.
Bugcrowd explains this contradiction, “What this points to is industry-wide uncertainty as to how rapidly AI will evolve from here on out. Teams are starting to get a handle on the current generation of Gen AI systems. But who knows what the next wave of models will bring?”
Note – Survey results should always be considered with caution. They are essentially subjective questions, answered and analyzed subjectively, from a small sample of subjects. Their purpose is primarily to obtain media exposure and advertise the provider.
Consider this from the editor of a PR magazine: “Publishing unique survey data is a great way to get ink… Sure, we understand the point is to promote your good or service, but if your data is all about how great you are, it’s an ad at that point.” (Posted on LinkedIn, June 26, 2024)
This doesn’t mean there is no value in surveys; but SecurityWeek believes the real value comes from questioning the survey’s purpose and its results (thereby getting a better understanding of the issue) rather than simply accepting the survey analysis that is provided by the survey producer.
Related: CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)
Related: Hacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd
Related: Can You Trust Security Vendor Surveys?
Related: Report Shows Speed and Efficiency of Hackers in Adopting New Technologies
Related: The CISO Forum
