The role of the Chief Information Security Officer (CISO) has evolved significantly over the past decade as cyber threats have diversified and proliferated. With IT now integral to every aspect of business and mission operations, CISOs carry great responsibility in the ongoing battle to keep their organizations safe from an endless stream of attacks.

Given how quickly both the attack surface and the threat environment change, it can be challenging for CISOs to keep up with what is happening beyond their home borders. To help, this study offers the kind of insights CISOs have long been asking for — to benchmark their situation and experience against others; to learn from what their peers are doing and planning to do; and to validate ideas and obtain solid data to justify investments in these areas.

This study utilized a two-part methodology. First was a quantitative survey that was designed with guidance from a Board of CISOs working at private and public sector organizations in the United States, Canada, Europe, Australia and Asia. Respondents were recruited through direct relationship with CISOs Connect and from a well-screened panel. We received 411 survey completions from respondents identifying as CISOs or CISOequivalent across a broad range of industry sectors. All responses were anonymous.

Additionally, we conducted in-depth discussions with members of our Board to get detailed perspectives on their experiences as CISOs defending their organizations from rampant cyber threats. These individuals are particularly known for their strong technical and business acumen. You will find insights and best practice recommendations from them throughout this report.