A new report reveals more than half of senior cybersecurity decision makers find the biggest concern when taking on a new CISO role is receiving an inaccurate audit of the company's security posture.

Panaseer recently published its 2024 Security Leaders Peer Report, now in its fourth year. The research provides insights into the conundrum many CISOs face surrounding the purpose and value of security controls data in supporting critical business decisions.

The survey of senior cybersecurity decision makers in 1,000+ employee organizations in the U.K. and U.S. found that the biggest concern when taking on a new CISO role is receiving an inaccurate audit of the company's security posture (54%). This is a tacit acknowledgment that inaccurate security data can hide points of weakness and result in security resources not being utilized efficiently.

The issue of data quality was of greater concern to respondents than the lack of security budget (44%) and being scapegoated for a breach (44%).

The same desire to gain complete visibility into security controls data was also highlighted in the top challenges cited by respondents when starting a new CISO role:

  • Getting a true picture of weaknesses in organizational security posture (49%).
  • Understanding the threat landscape (45%)
  • Getting trusted data to enable strategic decisions (43%)

Understanding where security controls are failing is a first step to mitigating cyber risk and making the right decisions, however 36% of security leaders are totally confident in their security data and use it for all strategic decision making, according to the report. 

The report found 95% of respondents said they are highly or somewhat confident that security controls are working effectively all the time, and 88% declared that they trust their security data is accurate.

As a result, 54% of security leaders said they are very confident in their ability to use security data to prioritize actions to have the greatest impact on risk reduction and 96% are confident to some extent.

However, 79% of responding organizations admitted they have been surprised by a security incident that evaded their controls — indicating that data on the status of controls is either inaccurate, or not being properly interpreted to improve security posture.

According to the survey, 90% of security leaders said that improving the accuracy of cybersecurity data is a priority for them in the next 12 months. Additionally, when asked to consider the impact of AI, 76% are concerned about threat actors using AI to find gaps in their organizations’ security controls. Given that they spend on average half (46%) of their time on manually collecting, formatting and presenting this data, finding a more automated way to do it should also be treated with some urgency.