New reports provide a holistic overview of several areas, such as challenges, responsibilities, and security initiatives of cybersecurity professionals from the retail and hospitality industries.
Each year, the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) surveys cybersecurity leaders from consumer-facing industries to assess data about budgets, personnel, and organizational priorities. The results are published in two separate benchmark reports that offer insight for teams across the retail and hospitality industries.
CISO Benchmark Report
The RH-ISAC CISO Benchmark Report provides a decision-making tool, assisting CISOs with the allocation of budgets and resources. With the myriad of obstacles in recent years, 2023 offers optimism, as 70% of CISOs expect their budgets to increase this year, with only 4% expecting budget cuts. Additionally, 60% of CISOs anticipate their full-time employee (FTE) total to grow in 2023, with only 3% of CISOs foreseeing a staff reduction.
The benchmark indicated the top seven responsibilities of CISOs remain the same as last year, all of which 92% of CISOs have in common. The seven responsibilities include:
- Security Operations/Incident Response (99%)
- Vulnerability Management (98%)
- Security Awareness (96%)
- Threat Intelligence (95%)
- Tools & Integrations (94%)
- Cloud Security (94%)
- Third-Party Risk Management (92%)
There are numerous challenges cybersecurity leaders encounter, as more than 400 organizational risks were emphasized, with most concerned about risks linked to risk management (30%) and threat intelligence (29%), particularly ransomware and data loss prevention. Regardless of category, CISOs said their organizations currently face the following top ten risks:
- Ransomware
- Data Loss Prevention
- Digital Transformation & Cloud Security
- Third-Party Risk Management
- Identity & Access Management
- Phishing
- Business Disruption
- Vulnerability Management
- Fraud
- Governance, Risk & Compliance
In terms of top initiatives, CISOs are prioritizing vulnerability management in 2023. The benchmark highlighted at least 50% are focusing on securing hybrid cloud/on-premise environments, ransomware planning, zero trust security architecture, and application security.
Practitioner Benchmark Report
In late 2022, RH-ISAC surveyed cybersecurity practitioners to better understand the challenges and priorities that staff encounter with executing daily job functions. The data collected produced the inaugural RH-ISAC Practitioner Benchmark, which delivered robust results from categories spanning organizational duties and job functions to skill assessment.
The benchmark revealed 83% of practitioners juggle various responsibilities, which communicates that employees have a valuable and diverse skill set across the following areas:
- Security Operations (IR) (76%)
- Risk Management (66%)
- Threat Intelligence (CTI) (66%)
- Security Architecture (55%)
Regardless of what job functions they serve, most practitioners (63%) assessed their skills between intermediate and advanced. 93% of practitioners feel they have the necessary skill sets they need to perform their jobs effectively, and more than 80% believe their teams have the necessary skill sets to effectively protect critical assets and information. Additionally, 87% said their organization enables them to develop the skill sets they need to be effective in their current roles.
The biggest challenge practitioners face is time management, as the average practitioner spends 27 hours of their week on non-primary job functions (i.e., daily activities). To improve upon time management, there needs to be an examination of the efficacy of tools and team meetings. If practitioners find ways to integrate, this permits more time to concentrate on their main duties. While time management is the biggest challenge practitioners face, practitioners also cite additional obstacles:
- Understaffed (66%)
- Overtasked (55%)
- Lack of Visibility in Managed Environments (45%)
- Inadequate Tools, Technology, or Integrations (32%)
When it comes to improving their teams’ collective information security operations, nearly half (48%) of practitioners said they need to focus on developing security architecture capabilities within the next 12 months, specifically:
- Secure Coding
- DevSecOps
- Infrastructure-as-Code
- Orchestration and Automation
- Tool Integrations
Practitioners agree that vulnerability management is both the most significant information security issue their firm currently faces and the most important project their teams need to prioritize in 2023.