The CISO Report

Emerging trends, threats and strategies

for today’s security leaders
Executive summary
Splunk sits at the heart of Security Operations for many of the world’s largest and most complex
organizations. We spend our days helping CISOs and their teams get ahead of emerging threats,
respond quickly when incidents inevitably occur, and succeed as business enablers. But we also
wondered, what do global security leaders really think about AI? Is our hypothesis true that CISOs
are becoming central members of the C-suite? Do boards and CISOs speak the same language?

In The CISO Report, we share the results of our original research and offer insights on how
leaders can evolve along with the cybersecurity landscape. Here are some of the most
significant takeaways.

1. Love it or hate it — AI is here to stay 3. CISOs are now the C-suite

Seventy percent of CISOs believe AI gives the advantage to attackers Forty-seven percent of CISOs now report directly to their CEO.
over defenders, yet 35% are already experimenting with it for cyber Boards are becoming more active security stakeholders. CISOs are
defense, e.g., malware analysis, workflow automation and risk scoring. being asked to justify their investments, but this isn’t a bad thing. It
But augmentation doesn’t start with AI: Ninety-three percent of CISOs indicates their leaders are listening and overwhelmingly allocating
have extensively or moderately implemented automation into their more budgets for the year ahead (even if it’s still not enough).
processes, and AI will only increase that percentage in the future.
4. Most pay ransomware demands
2. CISOs often speak a different Ninety percent of CISOs report that their organization experienced

language than their board at least one disruptive attack last year. Even more shockingly, 83%
paid attackers in the wake of a ransomware attack — directly, via
While CISOs’ and their board’s priorities are moving closer together, cyber insurance or with a negotiator — with more than half paying
there is still misalignment. Eighty-four percent of CISOs maintain at least $100,000.
that their board or governing body cares more about regulatory
compliance than security best practices. Thirty-one percent say that
projects have been delayed due to lack of funding while 30% say that
the security team was unable to support a business initiative.

The CISO Report | Splunk 02

5. Boards prioritize security funding 6. There is no resilience without
Ninety-three percent of CISOs expect an increase in their collaboration
cybersecurity budget over the next year, yet 83% see cuts in other
Levels of cybersecurity collaboration are highest with IT operations —
parts of their organization. Economic challenges are impacting
likely because those integrations are more established — with
security, but not in the way you might expect: Eighty percent say they
36% maintaining that collaboration was good, and another 40%
have noticed their organization has faced a growing number of threats
saying it was good, but improvement was desired. CISOs also hail
coinciding with the declining economy.
collaborations with software engineering/application development
(42%), the cloud team (40%) and enterprise architecture (27%) as
vital to ensure resilience throughout the organization.

About the authors

Ryan Kovar
Distinguished Security Strategist and leader of SURGe
Ryan is a distinguished security strategist and leader of SURGe, Splunk’s security research arm. With over 20 years of experience
as a security analyst, threat hunter, defender and Unix plumber, Ryan loves traveling the world and researching the biggest
problems for Splunk’s customers. Prior to Splunk, he worked at DARPA, US Navy, the UK Home Office and other organizations as a
security practitioner and leader. Ryan has an MSc in Cyber Security from the University of Westminster.

Kirsty Paine
Field CTO and Strategic Advisor, Technology and Innovation (EMEA)
Kirsty Paine (she/her) is a strategic advisor to Spunk customers. As an experienced technologist, strategist and security
specialist, she thrives on understanding difficult problems and finding creative solutions. Kirsty’s background in cyber security
stems from her mathematical roots, built over years working at the UK National Cyber Security Centre, specializing in security,
privacy and internet technologies.

The CISO Report | Splunk 03



04 Today’s CISO: On the front lines of change

Today’s CISO: 06 Generative AI elicits genuine insights

■ Generative AI fills critical gaps in

On the front lines

cyber defense

10 CISOs and the board get priorities straight

of change ■

■
CISOs expand board presence,
own their influence
Driving a culture change
■ CISOs embrace — yet question —
evolving role
The role of today’s Chief Information Security Officers (CISOs)
is complex and rapidly changing. Eighty-six percent say that
15 CISOs submit to ransomware
the role has changed so much since they became a CISO that ■ Ransomware: Attackers get a payday
it’s almost a different job. They are emerging as strategists and
leaders who have a louder voice in the boardroom. And a growing 19 Security investment on the rise
number of them — now 47% — report directly to their CEO.
21 Collaboration is key to building resilience
Of course, their most critical priorities still revolve around ■ Collaboration opens doors, breaks down walls

defending the organization against an increasingly complex ■ Building resilience into the future

threat landscape. Ninety percent of CISOs have faced a

25 A new era of resilience
disruptive attack in the last year. And while they’re adapting to
stay ahead of cyber attackers, they aren’t getting much sleep 26 Appendix
at night.
32 Methodology

The CISO Report | Splunk 04

Today’s CISO: On the front lines of change

The CISO story, then, is about the constant struggle they face
enabling the business to go fast while walking a daily tightrope
between oft-competing priorities — the board’s allegiance to
business success metrics and the practical realities of securing
the organization. For many of them, this means constantly
justifying their teams’ value to the C-suite and the board, while
also filling security gaps caused by staffing shortfalls and
finding new ways to mitigate organizational risk. The balancing
act isn’t easy.

The research illustrates a complete picture of the CISO: the

issues, challenges and opportunities they face on a daily basis.
Yet despite an increasingly sophisticated threat landscape and
an uncertain economic outlook, many are optimistic. More than
ever before, they have an opportunity to become champions
who can effectively change the security culture of their
organization. Boards and CEOs are not only listening, but relying
on them for guidance. And as CISOs look ahead, their focus
will be on collaborating with teams across their organization,
working together to become more resilient so they can not only
weather any storm, but thrive in its aftermath.

The CISO Report | Splunk 05

Generative AI
elicits genuine
insights

“We are trying to stay ahead of

generative AI.”
— CISO, government organization
Generative AI elicits genuine insights

We found that the overwhelming majority of CISOs (70%) believe

that generative AI will create an asymmetrical battlefield that will
inevitably be tipped in favor of cyber adversaries. We are more
optimistic than that, though. We know 35% of CISOs are already
using AI for positive security applications, and 61% will likely use
it in the next 12 months.

Predictably, CISOs thought the highest ranking malicious use

cases would be faster and more efficient attacks (36%), voice
and image impersonations for social engineering (36%) and
extending the attack surface of the supply chain (31%).

Many of these concerns are still theoretical, driven by media

reports or as part of researchers’ proof-of-concepts. At the
time of writing this report, we haven’t seen generative AI used
extensively in real-world attacks or with any more success than
human-written phishing scams.

“We are trying to stay ahead of generative AI.

We know it is a technology that is being used.
Instead of blocking the technology, we are
trying to put as many guardrails around it
as possible.”
— CISO, government organization

The CISO Report | Splunk 07

Generative AI elicits genuine insights

Generative AI fills critical “I don’t know that anybody working in the cybersecurity space
has got it easy right now regarding recruiting and retention,” says

gaps in cyber defense the CISO of a government organization.

So when it comes to how AI can be used for cyber defense,

Will AI replace jobs? Not entirely. Eighty-six percent of CISOs CISOs have lots of ideas. AI is yet another tool that can address
believe that generative AI will alleviate skills gaps and talent challenges ranging from strategic to deeply technical. It’s not
shortages that they have on the security team. That means surprising that CISOs are queuing up mundane technical tasks
instead of replacing jobs, generative AI will more likely be used to for AI. But we were also excited to see AI opportunities span into
fill in labor-intensive and time-consuming security functions that strategic functions: challenges around data quality assurance,
security professionals are reluctant to do anyway (writing policy enriching and prioritizing alerts, and managing security posture
documents, perhaps?), freeing them up to be more strategic. The analysis and internal communications. While security problems
reality is that there aren’t enough cybersecurity professionals might not be new, AI offers the potential for new solutions.
to meet demands. AI might give organizations the ability to
supplement staff with everything from documentation to basic AI also provides opportunities to elevate staff’s skill sets and
ticket triage. education. Forty-six percent plan on getting security teams up
to speed on effective prompt engineering. Other policy efforts
So when it comes to fears that AI might “steal your job,” try include training employees to better understand the threats
thinking of it in the same way as automation — augmenting, posed by generative AI (39%) and establishing protocols to
rather than replacing, talent. And when it comes to automation, determine the types of tasks appropriate for AI bots (37%) as
93% of CISOs say they have extensively or moderately opposed to those that should be done exclusively by humans.
implemented automation into their processes, giving them a lot
of room for innovative use cases in the future.

“We learn in cyber after the fact, with AI and

GAI we can be more proactive, and it may help
us with skills shortages.”
— CISO, higher education

The CISO Report | Splunk 08

Generative AI elicits genuine insights

How Companies Are Using Generative AI for Cybersecurity

35%
Security hygiene and
posture management
analysis and prioritization 26%
Analyzing data sources
25%
Malware analysis
23%
Creating detection
to determine which ones rules

27% Data enrichment of alerts should be optimized

or eliminated
and incidents

23% 22% 22%

26% Internal communications
Creating secure
configuration
standards
Workflow automation Threat hunting

20%
Risk scoring
20%
Policy creation
19%
Incident response and
forensic investigation

The CISO Report | Splunk 09

CISOs and
the board
get priorities
straight

“The board has gotten fairly

serious about looking at risk,
and cyber is a form of risk.”
— CISO, transportation, tourism and shipping
CISOs and the board get priorities straight

How do CISOs know if they’re doing a good job? We asked them This validates another surprising finding: the biggest responsibility
for their success metrics — what they prioritize and what they for 86% of CISOs is to ensure their governing body/board
think their board cares about the most. There is sometimes a sees value in funding security investments. As one CISO in
wide variance in those two answers, resulting in misalignment transportation puts it, “What the board really wants is risk
and frustration when executed in the field. quantification. They want it in dollars and cents.”

“You can buy all the technology in the world, but if the users are Yet only 20% of boards rated “ROI of security investment”
not well trained then things can go bad,” says one technology as a measure of success, possibly because they lack the
CISO in an organization of more than 11,000 employees. understanding around how ROI impacts risk, relying instead on
other metrics indicating security posture improvement.
CISOs also point out more fundamental differences in values and
understanding.“Some of the board understands the importance Requirements for ROI are no doubt tougher. Almost a third (31%)
of security,” adds the CISO of an outsourcing company. “Some of our respondents say that projects have been postponed or
do not.” delayed due to lack of funding, while 30% also say the team was
unable to support a business initiative.
When they speak about quantifying risk, business value and
return on investment, however, CISOs are slowly getting the ear Also, 84% of CISOs say that their governing board/body equates
of the board/C-suite: strong security with regulatory compliance rather than best
practices, which might account for the slight disparity in the
■ 26% say that they share results of security testing,
indicating to boards the best places for intervention importance placed on “status and results from internal and/or
and demonstrating smart, proactive leadership. regulatory compliance audits.” It is not surprising, then, that 90%
of CISOs say their governing body/board cares about different
■ 27% say that they prioritize reporting the ROI of
KPIs and security metrics today than it did two years ago. “My
security investments, indicating where interventions
and money have already helped, and paving a way board loves a number,” says the CISO of a transportation and
to speak directly to the CFO and gain support for logistics company. “But the problem with cyber is that it is super
future investments. hard to come up with one figure that says how good or bad
we are.”
■ 25% say that the ability to purchase cyber insurance
might be the best way to tell boards how ‘safe’ they For CISOs and board members alike, it’s time to refresh your
are; and/or justify the investment elsewhere, too. approach and ensure you’re still aligned.
“I think the awareness regarding the importance of pentesting
and cybersecurity is higher than it was three years ago due
to recent events in industry,” says a CISO of a healthcare
organization.

The CISO Report | Splunk 11

CISOs and the board get priorities straight

CISOs expand board Driving a culture change

presence, own their These days, cyber risk is business risk. Organizations often

influence integrate security into their existing business systems and

processes. As testament to its importance in the boardroom,
a vast majority of organizations (78%) now report having a
Overall, our research showed that CISOs are formalizing their
subcommittee or audit committee focused on cybersecurity,
seniority: Forty-seven percent of CISOs report directly to the
privacy or cyber-risk. This could be due, in part, to Europe’s
chief executive officer (CEO), followed by 40% reporting to the
legislation, which makes the CEO personally liable for security.
chief information officer (CIO).
Little by little, CISOs are driving change in security culture
Interestingly, Western Europe is leading this trend, with 54%
within their respective organizations, from improving employee
reporting directly to the CEO and 48% in APAC, while AMER trails
awareness to building security requirements into software
at 41%. This is likely due to European legislation, both existing
development and business decision making.
and incoming, that makes the CEO personally liable for security
and penalizes them for negligence. In short, ignorance is no “It takes time to change the culture,” the CISO of a transportation,
longer a defense in the face of a cyber attack. tourism and shipbuilding company says. ”It has very, very little to
do with the technology itself and it’s the hardest part of the job.”
This shift in reporting illustrates how CISOs are changing their
They might be pushing on an open door, or their efforts are finally
focus toward the business and formalizing their executive
paying off, but it’s clear that their influence on culture extends
roles. Forget closer relationships with the C-suite. They are the
past their direct sphere of control: Eighty-eight percent report
C-suite. This trend reflects that security is now as important to
that their governing board or body is making a concerted effort
organizations as finance (CISO and CFOs work side-by-side). And
to educate themselves on cybersecurity.
security risk has become just as costly, litigious and as impactful
to share prices as financial risk is.

The CISO Report | Splunk 12

CISOs and the board get priorities straight

CISOs and Boards Rank Success Factors*

There is close alignment on the factors that indicate a successful cybersecurity program
CISO Board
27% 20% ROI of security investments

17% 23% Status and results from internal and/or regulatory compliance audits

26% 21% Results of security testing

23% 18% Risk exposure rate or patching/ tooling percentage coverage

23% 19% Feedback from LOB executives / C-suite / Board

22% 18% Percentage of systems with up-to-date patches

17% 21% Attainment of security roadmap milestones

16% 19% Alert inspection and investigation rate

16% 18% Mean time to respond or remediate (MTTR)

21% 23% Progress in security/maturity model assessment certifications

20% 18% Average time it takes to patch a vulnerability

20% 18% Percentage of systems consistent with policies for security controls

19% 17% Number of high priority incidents, breaches and other reportable events

18% 20% Asset and software inventory coverage

25% 23% Ability to purchase cyber insurance

22% 21% Percentage of employees completing security awareness training

17% 17% Number of vulnerabilities identified

14% 14% Mean time to detect (MTTD)

* Factors ranked in order of largest to smallest difference The CISO Report | Splunk 13
CISOs and the board get priorities straight

CISOs embrace — yet

question — evolving role
Whistle-blowing is still trendy; eighty-two percent of
respondents say that if their organization was wilfully ignoring CISOs Report to the C-Suite
security best practices and compliance mandates and
putting the business at risk, they would consider becoming
a whistleblower. This speaks to a responsibility above
their employment, a strong sense of morality and perhaps 47% Chief Executive Officer
some lessons learned after shouldering the blame for their
40% Chief Information Officer
organization’s security mishaps.

To say that they are scapegoats might not be an exaggeration:

Eighty-four percent agree or strongly agree that they’re worried
about their personal liability for cybersecurity incidents. Our
experts recommend that you get a personal lawyer (not a 5% Chief Financial Officer
company-provided one) that you can call on short notice, should 4% Chief Operations Officer
2% Chief Risk Officer
you ever need to.
1% Chief Compliance Officer
And when it comes to purchasing decisions, you could do worse 1% SVP/VP/EVP
than the tried-and-tested, safe options if you need to impress
your board: Ninety percent say their governing body/board puts
a high degree of faith in industry analyst recommendations.

Many boards and CEOs know that the liability landscape has
shifted, but they feel powerless to effectively respond to these
new dynamics. This opens an opportunity for CISOs to educate
their board and ultimately improve the security posture of their
organization. Ultimately, CISOs now have a bigger seat at the
table and a louder voice in the room. The C-suite and the board
are listening. Security leaders can use their growing platform to
create the change they want to see in the industry.

The CISO Report | Splunk 14

CISOs
submit to
ransomware

“My goal: Not to be at the helm

when we have a major cyber
breach.”
— CISO, company in the banking industry
CISOs Submit to Ransomware

CISOs are likely going to face a major attack — a staggering

90% reported suffering at least one disruptive attack in their
organization over the last year (43% at least once, 34% “a couple
of times,” and 13% “several times.”)
reported at least one
It should be no surprise that social engineering, OT/IoT, and
ransomware are top-of-mind concerns for CISOs — threats
that are not only featured prominently in the media, but are also
90% disruptive attack
financially devastating. “Your decisions impact how the business
runs,” says the CISO of a healthcare organization. “If you make
bad choices, you might kill the business.”

Most Concerning Cyber Threats

40% Social engineering

attacks
30%
Insider threats
29%
Third-party risk
24%
Distributed denial of
24%
Destructive malware

37%
Operational technology service attacks
(OT) and Internet of
Things (IoT)

24% 24% 21% 20%

33% Ransomware Errors and
misconfigurations
Cryptomining Account takeovers Fraud

The CISO Report | Splunk 16

CISOs Submit to Ransomware

Ransomware Ransomware
Remediation Payouts
Ransomware: 18% 9%
Attackers get a payday company $1 million or more

All but 4% of our respondents report suffering a ransomware 16%

$250,000 - $999,999
attack, with 52% experiencing one that significantly impacted
their business systems and operations.

While 96% is significant, prepare yourself — 83% of those

who answered said they paid the ransom. Of those who
37%
cyber insurance
paid, 18% paid the ransom directly, 37% paid through cyber 26%
insurance and 28% paid through a third party. $100,000 - $249,999
Who paid the
And it’s not cheap. The most significant number paid ransom
somewhere between $25,000 to $99,999 (44%), while more
than half of respondents paid more than $100,000, a stunning
9% of respondents (or one in 11) paid $1 million or more. That’s
a lucrative business for ransomware gangs — and many
desperate organizations gamble with their reputations in the
hope of decrypting their data, recovering their systems and
preventing the release of sensitive material. 28% 44%
$25,000 - $99,999
third-party negotiator

How services 11% standard incident

were restored response procedures
when no ransom
was paid 2% offline/air gapped backup
4% disaster recovery 4% <$25,000
service provider
1% 1%
Don’t know Prefer not to say

The CISO Report | Splunk 17

CISOs Submit to Ransomware

The majority of CISOs (69%) maintain that paying a ransom And don’t think boards aren’t watching. Seventy-three percent
makes them vulnerable to legal exposure in the future. Yet even of CISOs say they feel that their governing body/board is overly
after payment, organizations are often unable to fully recover concerned about ransomware and the potential threat it poses
their lost capabilities — there’s no honor among thieves. And to their organization. And the majority say that when they faced
cyber insurance is no silver bullet; it’s often difficult to obtain successful ransomware attacks, the governing body/board
while falling short of full reimbursement. required regular updates as they sought to resolve the issue.
That scrutiny likely won’t go away anytime soon — but it does
The net-net? Make sure you have offline, regularly-tested,
give you even more reasons to run exercises with the board.
segregated back-ups. Designate maintenance responsibility
and conduct regular checks that they’re successfully executed.
Additionally, run a board-level exercise to exert some real-yet-
safe pressure on those systems.

“The cyber insurance process has changed over the

past few years. It is getting to the point where we are
wondering if it is worth our time.”
— CISO, finance company

The CISO Report | Splunk 18

Security
investment
on the rise

“Resources are my only real

weakness — actually having
enough hours in the day and
having enough people to handle
all the responsibilities.”
— CISO, financial services company
Security investment on the rise

2024
Cybersecurity
Spending
Ninety-three percent of organizations actually expect to cybersecurity budgets. With security budgets expected
increase cybersecurity spending, either significantly or to rise, there’s reason to be optimistic. However, despite
34%
somewhat, over the next year. This is great news for security increased investment, the additional funding is still not Increase significantly
teams, as 85% percent of CISOs say a reduction in spending enough for many CISOs wrangling their technical debt.
would hamper their ability to respond to threats, and 80% say
We saw CISOs are justifying ROI for security
they have noticed that their organization has faced a growing
investments to the board, and some of them have
number of threats coinciding with the declining economy.
a focus on tool sprawl. The vast majority (88%) say
Yet 83% of CISOs see the cuts in other parts of their they see a need to rein in security analytics and
organization, and 85% say that they’re worried about the operations tools with solutions like SOAR, SIEM and
macroeconomic uncertainty and its potential impact on threat intelligence, to address issues of tool sprawl and
their team. complexity, with only 2% disagreeing that they need to
consolidate their tools. This is a message that always
Almost a third (31%) say that projects have been delayed or
eliminated due to a lack of funding. While 87% say they’ve
lands well with a CFO — and helps to justify ROI. 59%
Increase somewhat
demonstrated a business case for increased budget year-
over-year, only 35% say that their boards allocate adequate

of CISOs expect increases

93% in cybersecurity spending

“My CFO has said my budget will always be sufficient … 6% No change

as long as I can justify funding, then I will get it.” 1% Decrease somewhat
— CISO, banking industry 1% Don’t know, too early to say

The CISO Report | Splunk 20

Collaboration
is key
to building
resilience

“A great resiliency program is one

that is always questioning itself
and trying to make itself better.
Never staying stable and always
pushing against the program
and questioning.”
— CISO, telecommunications company
Collaboration is Key to Building Resilience

In our conversations with CISOs in the Forbes Global 2000 and

beyond, we have advocated for a culture of cross-functional Collaboration opens
collaboration between security teams, IT and engineering
organizations. That’s because we’ve seen repeatedly that
doors, breaks down walls
collaborative organizations with teams working together can While it’s an incremental culture shift, we’ve seen that teams
better prevent issues from becoming major disasters, more within organizations are becoming more collaborative. Levels of
quickly remediate incidents and ultimately become more cybersecurity collaboration were highest with IT operations —
adaptable to changing environments. It stands to reason then likely because those integrations are more established — with
that 27% of CISOs call out cross-team collaboration between 36% maintaining that collaboration was good, and another
IT operations, security operations and software engineering/ 40% saying it was good, but improvement was desired. CISOs
development as a significant means of building, expanding and also hail collaborations with software engineering/application
sustaining resilience in their organization. development (42%), the cloud team (40%) and enterprise
architecture (27%) as vital to ensure resilience throughout
the organization.

Benefits of Collaboration

44%
Greater integration
42%
Faster time to
40%
Greater knowledge
37%
Greater collaboration
between security and understand, quantify transfer between on procurement
IT operations tools and prioritize the risk groups deployment and
and processes associated with new operations of security
business initiatives technologies

37%
Greater visibility
33%
Faster time for risk
31%
More career
29%
Less inter-team conflict/
across the attack mitigation opportunities for finger pointing
surface individuals to move to
and from the security
department

The CISO Report | Splunk 22

Collaboration is Key to Building Resilience

Other notable areas of solid cybersecurity integration include:

■ Application development
Building resilience into
■ Observability the future
■ Customer experience/digital experience A significant number of CISOs also say that they will continue
In all three areas, between 73% and 76% of respondents say to hone the organization’s competencies around resilience by
collaboration was good — either good with no improvement or further developing comprehensive incident response plans that
good with some desired improvement. However, executing on clearly outlines the steps their teams will need to take in the
functions collaboratively is often different in practice than in event of a security incident. As part of that effort, they also will
theory. The CISO of a finance company describes the relationship be defining and automating incident response processes across
between IT and security as respectful but fractious: “They never different teams and individuals (25%).
challenge what we want to do, but they mutter obscenities under These practices are nothing new for CISOs, who often see
their breaths as they walk away.” resilience as an extension of their security practices — because
Although it takes some time and effort, there is no downside to CEOs tie resilience to risk and response to attacks, it often falls
collaboration. CISOs extoll the many benefits of collaboration, the within CISOs’ purview. However, many security responses rely on
biggest being the general integration of security and IT operations IT to implement changes, in turn, compelling some CISOs to use
tools and processes (44%), which also helps with budget — and resilience as a means of working more closely with IT. And the
justifying ROI. result is improved digital response.

The CISO Report | Splunk 23

Collaboration is Key to Building Resilience

Creating and building a culture of resilience is a monumental

undertaking. CISOs believe that collaboration on digital
Collaborative Resilience Activities
resilience needs to be foundational, from planning and product

55% 50% 48%

modernization to business and product strategy. To that end,
55% percent maintain that they have opportunities to integrate
security into all aspects of the software development life cycle,
Integrating security Modernization projects Exploring unusual or
and 50% say that security should be an integral part of the into the full software anomalous system or
modernization process. CISOs also maintain that resilience development lifecycle network behavior
collaboration efforts will help explore unusual or anomalous
system or network behavior (48%) as well as improve how an

44% 38%
organization responds to degradation of critical applications
(44%) — reinforcing the need for integrated security and
observability functions. Observability, and how Crisis management
the organization responds process and protocols
to degradation of critical
applications or services

The CISO Report | Splunk 24

A new era of resilience
The era of CISOs working in bubbles and independent silos is engineering schemes. And ransomware continues to introduce
over. CISOs, and in turn the C-suite, are realizing it will “take a complex dilemmas about whether to contain the malware or
village” to become stronger, more secure and ultimately, more silently pay off the attackers in hopes that the threat disappears.
resilient. Strategic collaboration with engineering and IT is vital
CISOs will navigate these headwinds differently, but they can’t
to this mission.
go it alone. While there is precedent for integrating security
The data in this report makes it clear that CISOs have more face with IT operations, there are signs this type of collaboration
time and influence with CEOs and boards than ever before. And is expanding. Security functions work more closely with
while CISOs might have to work harder to justify technology application development, observability and customer
investments, their leaders are also paying attention and experience, creating opportunities to learn and be more
allocating more budget. Little by little, CISOs and their boards effective across the organization.
are learning to speak the same language.
While it won’t happen overnight, teams across the organization
At the same time, we can’t ignore the unprecedented new will become more communicative, collaborative and integrated
challenges and pressures CISOs face. Stringent security to expand visibility and increase overall effectiveness, setting
regulations, such as updated Security and Exchange them up for even greater success. And as leaders increasingly
Commission rules in July of 2023, intensify risk for security understand that cyber risk is business risk, the CISO will
leaders, potentially making them liable for cyber incidents. AI champion a security-first paradigm that will usher in a new era
is opening the door to new opportunities, but can just as easily of resilience.
fall into the hands of cyber adversaries who will leverage it to
propel deep fakes, disinformation and more elaborate social

The CISO Report | Splunk 25

Appendix
Appendix

Regional highlights
By region, we divided our respondents into the following categories: North America (41%),
Asia-Pacific/Japan 30% and Western Europe (29%). Their responses to the various topics
are as follows:

The role of the CISO Board of directors

■ Western Europe had the largest percentage of CISOs who ■ Misalignment of board and CISO priorities is a source of
reported directly to their CEOs (54%) followed by APAC/ frustration around the globe, although not consistent across
Japan (48%) and North America (41%), averaging 47% of total regions. Forty-three percent of North American respondents
respondents. reported that the security team was unable to support
a business initiative compared to only 15% of Western
■ North America reported the highest percentage of
European respondents, likely due to comparatively more
respondents whose role as CISO had changed so much it
stringent regulation in Europe than in the U.S. Thirty-three
was almost a different job at 90% (agree or strongly agree)
percent of APAC respondents reported that they had to cut
followed by APAC at 89% and Western Europe at 76%.
back on cybersecurity staff because of misaligned priorities,
■ APAC had the highest percentage of respondents whose compared to only 18% of Western European respondents.
focus had shifted from controls and implementation to
■ Misalignment of board and CISO success metrics is also
strategy (94%). APAC was followed by North America at 90%
inconsistent across regions. Thirty percent of North American
and Western Europe at 88%.
CISOs say that progress in the security maturity model is
■ CISOs’ success metrics vary greatly by region. It’s interesting most indicative of success to their board, compared to only
to note that North America had the highest percentage of 16% of respondents in Western Europe. Meanwhile 28% of
respondents (25%) who considered the number of high respondents in APAC say that the percentage of systems
priority breaches, incidents and reportable events as a consistent with policies for security controls (MFA, WAF,
success metric. By contrast, a significant number of Western encryption, etc.) was a measure of success for their boards,
European respondents considered feedback from line-of- compared to only 11% of respondents in Western Europe.
business executives, C-suite and the board as the most The largest concentration of respondents in Western Europe
important measure of success (29%). (27%) cited status and/or results from internal regulatory
compliance audits as the most important success metric for
their boards.

The CISO Report | Splunk 27

Appendix

Digital resilience and 17% of Western Europe. That said, all regions express
that generative AI would give cybercriminals a slight or
■ North American respondents placed a higher priority on significant advantage.
cybersecurity education in their digital resilience strategy
■ It stands to reason then, that respondents from APAC (23%)
than regional counterparts: 30% of North American
are most likely to be using generative AI for cybersecurity
respondents said educating cybersecurity staff on best
today, compared to only 11% in North America or
practices and ongoing training is most important to ensure
Western Europe.
digital resilience, compared to 19% respectively in both APAC
and Western Europe. ■ Respondents in Western Europe express the most interest in
using generative AI for cybersecurity over the next 12 months
(57%) compared to 39% of North American respondents and
The rise of generative AI 35% of respondents from APAC.

In all regions, early opinions on generative AI’s applications

in security are generally optimistic. The threat landscape
■ 84% agree or strongly agree that they will develop their
■ APAC and Western Europe report seeing the most security
own language models or other AI-based solutions for
gaps in cloud infrastructure at 57% and 51% respectively,
cybersecurity.
compared to North American respondents at 40%.
■ 89% agree or strongly agree that they will adopt generative
■ Respondents in APAC are most afraid of attacks on
AI for cybersecurity through vendor produced products/
operational technology (OT) and IoT (46%) compared to
functionality.
Western Europeans at (25%).
■ 86% believe that generative AI will alleviate skills gaps/
■ While all regions were affected by ransomware, respondents
shortages they have on the security team.
in APAC (64%) and North America (53%) were more likely
■ 82% believe that generative AI bots will take jobs/activities to experience an attack that significantly affected their
done by humans today. systems and business operations, compared to Western
Europeans (38%).
■ APAC expresses the most hope for AI to be used as a
defensive tool, with 24% believing that it would give them ■ All regions similarly report paying the ransom, whether
either a slight or significant advantage over cyber criminals, directly, through cyber insurance or a third party.
compared to 12% of respondents from North America Respondents in North America (39%) were more likely to
pay between $100,000 and $249,999 than Western Europe
(20%) or APAC (14%). However, APAC was more likely to pay
$1 million or more (17%) compared to North America (3%) or
Western Europe (7%).

The CISO Report | Splunk 28

Appendix

Industry highlights
Respondents by Industry

30% 22% 9% 8% 7% 7% 6% 10%

Financial Services Manufacturing Comms/Media Technology Healthcare Retail/ Business Other
Wholesale Services
1%
Government

The role of the CISO 2. Almost half of CISOs in the retail sector (48%) cite the
number of high priority incidents as the metric most
CISOs across numerous industries now report directly to the indicative of success. A significant percentage of CISOs
CEO, including: in communications and media (34%) cite progress in
the security maturity model as the most important
■ 84% in healthcare
success metric. For CISOs in technology (39%),
■ 63% of communications and media success was associated with the ability to purchase
■ 44% of manufacturing cybersecurity insurance.

■ 34% of financial services 3. Across industries CISOs feel like their role has changed so
much it was almost like a different job. The CISOs in industries
1. Regulatory compliance is the most important priority to that are the most affected include:
CISOs in the retail sector (56%) followed by technology
(29%). Data privacy represents the biggest priority for ■ Communications and media: 93%
CISOs in communication and media (59%), followed by ■ Financial services: 92%
technology (50%). ■ Technology: 89%
■ Retail/Wholesale: 85%
■ Healthcare: 84%

The CISO Report | Splunk 29

Appendix

4. CISO are most concerned about their personal cybersecurity 2. The retail/wholesale sector is also most likely to have a board
liability in the following industries: that provides adequate budgets to ensure cybersecurity
measures are in place (59%), likely attributed to PCI and other
■ Financial services: 94%
customer data privacy regulations. Business services (62%)
■ Technology: 93%
and financial services (51%) are most likely to have a board
■ Business services: 86% that has established governance requirements to ensure
■ Healthcare: 84% cybersecurity incidents are reported. 100% of government
5. In almost all industries, CISOs say that (they agree or strongly CISOs say that their biggest responsibility is to ensure their
agree) their role had transitioned from one of implementation board sees value in their security investments.
and controls to security strategist: 3. Numerous CISOs across many industries regularly participate
■ Government: 100% in board meetings, including:
■ Retail/wholesale: 97% ■ Technology: 100%
■ Financial services: 95% ■ Government: 100%
■ Business services: 91% ■ Communications and media: 94%
■ Manufacturing: 89% ■ Healthcare: 88%
■ Communications and media: 87% ■ Manufacturing: 86%
■ Healthcare: 84% 4. CISOs in numerous sectors say their boards equate security
6. When weighing in on most in-demand skills, CISOs in with regulatory compliance — representing a source of
communications and media point at cloud security the most frustration for CISOs.
(47%). CISOs in retail express that they need more senior-level ■ Financial services: 89%
cybersecurity positions (41%).
■ Communication and media: 87%
■ Manufacturing: 87%
The board of directors ■ Healthcare: 84%
■ Business services 81%
1. Financial services (92%) and healthcare (92%) are the most
likely industries to have a dedicated board-level cybersecurity 5. To reinforce value to their boards, the majority of CISOs in
committee, followed by retail/wholesale (85%) and retail/wholesale (59%) say that they provide their governing
manufacturing (84%). body with cyber risk metrics and ask them to make risk-based
decisions. The majority of CISOs in business services (52%)
say that they position security as a business enabler.

The CISO Report | Splunk 30

Appendix

Digital resilience The threat landscape

■ CISOs in numerous industries are employing resilience CISOs call out cloud applications and infrastructure
strategies with teams across the organization. One hundred as having the biggest security coverage gaps across
percent of government CISOs, and 59% of retail CISOs say industries. CISOs in business services (71%), healthcare
security operations (SecOps) will drive digital resilience. (64%) and technology (64%) point to cloud applications,
Seventy-nine percent of technology CISOs and 56% of while manufacturing CISOs (64%) see the most significant
manufacturing CISOs say that IT operations have a high security gaps in cloud security. Financial services (57%) see
degree of responsibility for digital resilience. the biggest gaps in third party/supply chain security.
■ CISOs in business services (76%) and communications and
Ninety-six percent of healthcare organizations
media (63%) cite integrating security into the full software and 90% of manufacturing businesses report
development lifecycle as a major resilience strategy. Fifty- experiencing at least one disruptive attack over
nine percent of CISOs in communications and media say the last year.
that they consider observability and how the organization
responds to application degradation as an activity that A significant percentage of communications and media CISOs
builds resilience. (44%) point to incident response processes or communication
issues that made the attackers’ job easier. A significant
percentage of CISOs in technology (42%) cite vulnerable
The rise of generative AI systems that were unknown, unmanaged or misconfigured.

CISOs in industries that express the most fear that generative Numerous industries experienced ransomware attacks that
AI would give either a strong or slight advantage to cyber significantly impacted their systems and business operations,
adversaries included healthcare (88%), manufacturing (76%) including financial services (59%), retail (59%) and healthcare (52%).
and financial services (72%). Fifty-one percent of CISOs in Perhaps contrary to popular belief, the industry most likely to
financial services say that they planned to implement specific pay the ransom is retail, with 95% of those reporting that they
cybersecurity controls to mitigate AI security risks. either paid directly, through cyber insurance or a third party.

Industries that have the biggest interest in adopting Retail was most likely to pay a ransom between $25,000
generative AI over the next 12 months include retail and $99,999. The majority of communications and media
(59%), healthcare (56%) and manufacturing (51%). organizations attacked by ransomware (56%) paid between
$100,000 and $249,999.
The majority of CISOs in most industries say that AI will take
jobs that currently belong to cybersecurity professionals. But
CISOs in manufacturing (80%), financial services (91%) and
business services (85%) strongly express that it will alleviate the
cybersecurity skills shortage.

The CISO Report | Splunk 31

Methodology
An independent research firm conducted two separate studies:
quantitative and qualitative. The quantitative study targeted
350 CISOs, CSOs and other qualified executive security leader
equivalents. The qualitative research targeted 20 CISOs, CSO
and security leaders in 60-minute in-depth phone interviews.

Geographic Regions
The quantitative survey was distributed between North America,
(United States, Canada) EMEA (UK, Germany, France) APAC
(Australia, New Zealand, Japan, Singapore, India). Qualitative
surveys were conducted in the United States, Canada and
the UK.

Industries
Respondents in both qualitative and quantitative surveys
represented 17 industries, including financial services
(banking, securities, insurance), manufacturing, media and
communications, technology, healthcare, retail/wholesale,
business services, government/public sector, education
(K-12, secondary, college/university), agriculture/forestry,
construction/engineering, consumer packaged goods, life
sciences, mining/oil/gas, telecom, transportation, utilities.

The CISO Report | Splunk 32

Perspectives by Splunk —
by leaders, for leaders.
Get more executive viewpoints on security, IT and engineering at
our online publication, Perspectives by Splunk. You’ll hear from
Splunk's own leaders and experts, as well as guest contributors
from the industry. We aim to deliver interesting, provocative and
actionable insights by people who have done your job at some of
the largest companies in the world.
Visit Perspectives by Splunk

Keep the conversation going with Splunk

Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.
All other brand names, product names or trademarks belong to their respective owners. © 2023 Splunk Inc. All rights reserved.

23-295950-Splunk-The CISO Report-EB-123