US CISOs not prepared for cybersecurity regulations

A new survey of over 200 CISOs across a wide range of industries in the United States reveals that many are unprepared for tough new regulations including the SEC's cybersecurity disclosure rules in the USA and the Digital Operational Resilience Act (DORA) in the EU.

The study from Onyxia Cyber shows 67 percent of CISOs report feeling unprepared for these new compliance regulations, while 52 percent admit to lacking sufficient knowledge about how to report cyberattacks to the government.

"As cyber threats escalate and regulations impose heavy penalties for non-compliance, it's imperative for CISOs to reassess and strengthen their security programs in a data-driven way. Our survey reveals critical industry benchmarks, highlighting areas of strength and significant gaps that need urgent attention," says Sivan Tehila, CEO and founder of Onyxia. "CISOs must enhance their preparedness, improve security hygiene, and embrace new technologies like AI to better maximize their existing security tools and protect their organizations."

The report also shows that 56 percent of surveyed CISOs admit being uncomfortable with their current incident response strategies, indicating a significant need for improvement in handling cyber incidents effectively.

In addition, 67 percent report having difficulties in effectively persuading the C-suite of their security strategies and securing buy-in for their initiatives. Interestingly, only 19 percent of those who have been a CISO for five or more years find it very easy to share their strategy with the executive board, while 40 percent of less experienced CISOs say the same.

Basic security measures, such as multi-factor authentication (MFA) and strong passwords, are not universally implemented either. CISOs consider an average of 11 percent of user accounts with weak passwords and 13 percent without MFA as acceptable, highlighting areas for improvement.

There's a heavy reliance on manual methods to measure security performance, with 84 percent of CISOs currently measuring the effectiveness and performance of their security programs with either spreadsheets, analysts, or a combination of the two approaches. Despite a reliance on manual methods, CISOs see potential in AI. 97 percent believe AI can enhance risk management, with 54 percent believing AI capabilities could help them in identifying gaps and redundancies in security stack coverage and 42 percent anticipating AI’s role in automating business-level risk reporting.

You can get the full report from the Onyxia site.

Image credit: SIphotography/depositphotos.com