Share article
Ivanti surveyed over 3,000 IT and security professionals and organizational leaders across the globe to find out how organizations are adapting to meet rising cybersecurity threats. In this report, we study how CISOs communicate risk up the chain of command, including:
More information about our research study and methodology can be found in the final section.
Ivanti surveyed over 3,000 IT and security professionals
on how leadership is facing increased cybersecurity threats.
01
Cyber risks are growing more complex and more threatening due to the rapid evolution of technology, increasing sophistication of cyber attackers and expansion of attack surfaces through interconnected systems and devices.
Yet in critical areas, leaders outside IT appear to be overconfident, demonstrating confidence levels that significantly outpace those of IT/security professionals. Consider:
The gap suggests leaders outside IT may not truly understand the risks — financial, operational and reputational — posed by mounting cybersecurity threats.
Cybersecurity incidents are sharply on the rise. The International Monetary Fund’s (IMF) April 2024 Global Financial Stability Report explains that the incidence of “extreme losses” is on the rise, and the size of these so-called extreme losses more than quadrupled between 2017 and 2021 to $2.5 billion.
Incidents in the financial sector could threaten financial and economic stability if they erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions.
— IMF Global Financial Stability Report
Ivanti’s research shows that while cybersecurity budgets are growing (71% report budgets are up in 2024), security strategy and investments may not be keeping pace with the growing severity and pervasiveness of threats.
Fully 95% of IT and security professionals believe security threats will be more dangerous due to AI — yet, despite that elevated risk, nearly one in three security and IT professionals have no documented strategy in place to address generative AI risks.
And nearly two in three organizations surveyed are not yet investing in critical areas like external attack surface management and digital forensics and incident response (DFIR).
02
The majority (55%) of IT/security professionals say their leaders outside IT don’t fully understand vulnerability management. And organizational leaders largely agree with this assessment. Fully 47% of leaders outside IT admit they don’t have a very high level of understanding of the concept.
Given that the number of Common Vulnerabilities and Exposures (CVEs) is sharply on the rise, the discipline of prioritization is becoming increasingly critical.
Vulnerability management is a bedrock principle of modern cybersecurity strategy. The emphasis here is on the word “management.” No security team can be expected to build an impenetrable fortress. Instead, security teams must prioritize efforts and resources, directing attention to areas where they can reasonably expect the best outcome.
When organizational leaders misunderstand this, it can lead to misperceptions of the CISO’s effectiveness, as well as the perceived value of the security team. For example, leaders outside IT may view any successful cyberattack as a failure, even if the threat is quickly contained and neutralized.
Similarly, leaders outside IT who don’t fully understand the concept of vulnerability management may believe the end goal of security is 100% patch compliance instead of effective patch prioritization. More than 1 in 4 IT professionals say patch management is undermined by changing leadership priorities.
IT professionals say patch management
is undermined by changing leadership priorities.
03
Security teams and leaders outside IT have differing views of the potential impacts of cyber risks — including the extent of the damage they can cause and the areas of the organization that are most likely to bear the impact. Executives outside IT are significantly more likely to focus on financial, legal and reputational impacts than their IT and security counterparts. CISOs appear to be looking at risk through a narrower lens — and potentially missing the big picture as a result.
According to IBM’s most recent Cost of a Data Breach Report, the average cost of a data breach in 2023 was $4.45 million — a 15% increase over three years. And research from Chainalysis shows ransomware payments were at an all-time high in 2023, totaling $1.1 billion worldwide.
Cyberthreats are advancing so quickly in size and sophistication that these are no longer just security problems; they can quickly morph into business sustainability crises affecting everything from share price to regulatory standing.
At the same time, organizations are increasingly looking to their CISOs for strategic business advice across a wide range of issues, from AI adoption to managing supply chain risk. And boards are becoming increasingly involved.
And yet, many CISOs operate with a primary focus on downtime risk rather than seeing the bigger picture.
To evolve into strategic players, security leaders must learn to speak the same language as their CEOs and boards — translating technical know-how into business priorities, such as the financial and reputational impacts of attacks, as well as the legal and regulatory ramifications of data breaches.
04
Robert Grazioli
Chief Information Officer, Ivanti
With so many serious security events hitting the news regularly, CISOs don’t have to fight too hard to convince management of the serious public relations and reputation risks that accompany cyberattacks. Converting that awareness into strategic, long-term buy-in for the CISOs vision (and the budget to match) is among the most important responsibilities of the modern CISO. With that support in place, CISOs can get to work building effective systems that underpin strong security: breaking down data silos, aligning processes, assuring strong lines of communication and connecting the dots across the organization to expose vulnerabilities and remediate them.
Dr. Srinivas Mukkamala
Chief Product Officer, Ivanti
The role of the CISO has evolved from a tactical security leader to a strategic business partner. In today’s business environment, these security leaders are faced with the challenge of balancing risk management objectives and compliance directives, with employee experience and business goals — and that can be difficult any time these priorities conflict. The best CISOs look at how their decisions will affect the business as a whole and act accordingly.
Realistically, not every company has reached this level of cybersecurity maturity or has access to this type of talented leader. That's because we don’t have a pipeline of enough qualified, highly trained, well-rounded CISO candidates yet. To develop this type of security leader, we need to create more pathways for promising cybersecurity and IT professionals to develop their technical chops, leadership skills and business acumen.
Sterling Parker
Senior Vice President of Global Technical Support, Ivanti
Vulnerability management is an absolute bedrock principle of modern cybersecurity strategy and an excellent teaching tool to explain cybersecurity broadly to a lay audience. CISOs today are challenged with up-leveling the threat and vulnerability conversation to a diverse C-suite team. They need to be capable of accurately representing the business and customer impacts of current or potential threats. They also need to balance cybersecurity needs with the needs of the CIO (i.e., availability of solutions). Vulnerability management is about tradeoffs; introducing the concept to senior leaders is an excellent way to start a conversation about the opportunities and limitations of cybersecurity — and the strategic decisions that flow from that.
Another useful framework to up-level a security model understanding for executives outside IT is the CIA triad, which stands for confidentiality, integrity and availability.
For CISOs who need to socialize the fundamental opportunities and threats of cybersecurity, the CIA triad provides a balanced and holistic approach to security — helping CISOs get the understanding and buy-in they need on their security vision, incident response posture and execution strategy.
Sterling Parker
Senior Vice President of Global Technical Support, Ivanti
At the end of the day, the CISO’s job is to enable the business. Toward that end, CISOs should collaborate with other business functions and stakeholders to understand how security events can affect other areas of the organization.
Working with key stakeholders inside the organization, CISOs can define and track metrics and tools that measure the business wide impact of security incidents — including company reputation, customer satisfaction, employee engagement and productivity. Sometimes impacts have a longer time horizon; metrics like number of formal complaints, lawsuits, media coverage and customer attrition should also be measured and managed.
The goal is to eliminate blind spots and drive highly informed decision making — for both the security team and the wider leadership team.
This report is based in part on two surveys conducted by Ivanti in late 2023 and early 2024: “2024 Everywhere Work Report: Empowering Flexible Work” and “ 2024 State of Cybersecurity: Inflection Point.” In total, these two studies surveyed 16,200 executive leaders, IT professionals, security professionals and office workers. This report looks specifically at the 3,059 leaders, IT professionals and security professionals surveyed across the two studies.
Get key findings and survey results, including charts and graphs, in a presentation-ready format
