Skip to main content

Nearly half of firms still don't have a CISO

Hands typing on a keyboard surrounded by security icons
(Image credit: Shutterstock)

Despite cyber assaults such as ransomware rising in numbers over recent years, many organizations still don’t have a Chief Information Security Officer (CISO). What’s more, some of them are under the impression that they don’t even need one, with others saying they are struggling to find the right candidate due to the growing skills gap and the so-called “Great resignation”.

A new report published by Navisite surveying 130 security, IT, and compliance professionals found that almost half (45%) don’t employ a CISO. Of that group, just a slim majority (58%) think they should have one in the team. 

Most organizations have a cybersecurity strategy, but for the majority (60%), it was developed by teams and people other than the CISO - it was either the IT department, compliance department, or executive leadership. 

In fact, some companies (21%) don’t even have a person dedicated solely to cybersecurity, at all, while most of them (75%) experienced an increase in overall cybersecurity threat volume in the past 12 months.

Instilling confidence

Not having an executive to handle cybersecurity hurts the confidence of these companies, the report further said. Among firms with a Chief Security Officer, 70% were confident in the effectiveness of their strategies, while among those without one - 58% were confident. 

Finally, many respondents would love to see their organization spend a little more money on cybersecurity solutions, staff, and training.

“The survey results support what we’re seeing across the board: organizations prioritized their security efforts during Covid, but at the same time, they’re acutely aware of how much more they need to do to effectively defend against cyber threats,” said Aaron Boissonnault, Navisite CISO. 

“The data also points to an ongoing problem in the industry: a cybersecurity skills shortage that extends to the highest levels. Companies value and want cybersecurity leadership, but it is increasingly difficult to find and retain these individuals.”