Executive summary
This report summarises and analyses the results of an EU-wide survey run by the European Cyber Security Organisation (ECSO) from November 2020 to January 2021, targeting Chief Information Security Officers (CISOs) or equivalent, from all over Europe and from all sectors. The results are divided into 4 major sections.
The first section covers the different elements of the survey presented to the CISOs and the adopted methodology in reaching out to them. The survey questions were divided into 7 sections pertaining to the different aspects of the daily job and responsibilities of a CISO: General / The work of a CISO; Board investment / Business continuity; Information sharing – Threat intelligence – Crisis management; Certification; Authentication; Liability & Governance; European, Regulatory & Cross-sector aspects. The sections and questions aimed to show that the role of a CISO goes beyond the purely technical prerequisites that may primarily come to mind.
The second section provides some statistics relating to the representation of the respondents’ professional certifications, job positions, and sectors. One of the key observations are that the CISOs’ position is not a harmonised or universally implemented role in every sector, company, and organisation. In addition, professional certification is not a universally agreed upon topic either as the degree and number of certifications held by CISOs, as well as the importance given to certification, varies a lot from sector to sector.
The third section deep-dives into a sector-by-sector analysis of the different survey elements. For each sector, we have highlighted the major threats targeting them, cybersecurity challenges that they are encountering, but also in-company challenges that CISOs encounter on a daily basis, as well as the regulatory and international cooperation aspects. The covered sectors are energy, finance, food, health, industry/manufacturing, public sector/government, telecommunications, transportation (air – rail – sea – road – space), and utilities (water). There was also an “other” category that contained unique entries from “luxury”, “retail” and “consultancy services covering different sectors”.
Finally, the fourth section provides cross-sector recommendations stemming from the common messages identified in the vertical approach.
• On CISOs Roles and Responsibilities: CISOs must be given the weight to implement their decisions with the necessary resources, through involvement in their organisation’s strategy and with a direct channel of communication to their Boards. One of the suggested ways to achieve this is to allow CISOs to directly sit at their Boards with defined legal responsibilities. In turn, CISOs need to learn to report to their Boards by quantifying security risks in terms of economic and financial losses, and link cybersecurity to business continuity. For these reasons, a mandatory Code of Conduct for CISOs is considered appropriate to implement by the majority of respondents, to ensure a cybersecurity posture and Corporate Social Responsibility (CSR) in organisations.
• On budget and investments: Boards think in financial and economic terms to ensure business continuity, but they do not see the link with cybersecurity because cybersecurity does not show a direct return on investment. As such, companies and organisations remain vulnerable because the CISOs do not get the necessary resources to ensure a holistic protection. To remedy the situation, one of the most common suggestions is for Europe to implement a reporting framework for CISOs to their Boards based on concrete KPIs that would include a risk analysis on the main business assets.
• On Strategic Information Sharing between CISOs: CISOs are very aware of the gaps and limitations of information sharing as there is indeed a lack of cooperation across sectors and across borders. CISOs unanimously call for the creation of a network of CISOs under the umbrella of a neutral European entity that would ensure the coordination of the network and of the shared information across sectors and across borders. Several respondents mentioned ECSO as a potential organisation that carries this neutrality and could be at the source of the network as a coordinator. It is important to note that at the CISO level, there is an interest in sharing strategic information as opposed to operational or technical information.
• On company culture: Company culture and evolution of mentalities remain extremely slow and CISOs are often met with resistance when trying to implement a cybersecure culture in their companies for a more cyber-hygienic workplace environment. One of the main recommendations is for CISOs to actively collaborate with human resources departments to elaborate company-wide trainings and awareness programmes that would be made compulsory to all employees, including Boards.
• On staffing: There is a huge cybersecurity skills gap in the world, and especially in Europe. Europe is already on top of many initiatives and programmes for awareness and to attract more people to cybersecurity education and professions. But there is always more that can be done, and Europe needs to invest more in cybersecurity talents.
At the end of the report, based on the issued recommendations, ECSO announces its intention to create the “CISO’s European Community” in the second half of 2021 for the establishment of a network of cross-sector and cross-border CISOs and to facilitate the information/strategic intelligence sharing. The CISOs European Community will be supported by a dedicated platform, initiated by a special collaboration between the Chairs of the UC, Intesa Sanpaolo (finance sector) and EDF (energy sector), for strategic information sharing on threats and on IOCs (Indicators of Compromise) in particular
