The role of the CISO in cybersecurity maturity

In 2024, the number of cyberattacks worldwide increased by a staggering 44%, and this is expected to continue to grow through 2025. Despite this significant increase, a recent survey by Commvault found that only 13% of organisations were considered to have a level of cyber maturity that meant they could effectively prevent or recover from an attack.  

Compared to those at the lower end of the cyber maturity scale, organisations with a higher maturity level were able to recover 41% faster from an attack. These organisations were noted as having four out of five resilience markers, from early warning detection tools to an isolated environment for storing an immutable copy of their data, and it is features such as these which enable them to survive attacks better than their less well-prepared competitors.

The CISO role plays a key part in shaping an organisation’s readiness to prevent and handle attacks. However, although they are a firm part of the C-suite, the reality is that a CISO’s authority and influence can greatly vary depending on the organisation. To fully understand an organisation’s position in this cyber maturity journey, its impact on risk and resilience, and identify how a CISO could help to move their organisation up to the next level, involves breaking the maturity cycle into five distinct phases.

In organisations with the least cyber maturity, ensuring there is a minimum viable company is crucial, yet often overlooked. Security is seldom a priority, and those responsible for it are rarely involved in policy making.

Typically, smaller organisations without regulatory pressures or shareholder obligations lack a dedicated CISO role. Cybersecurity is instead managed by the IT team, often reporting to a mid-level IT manager or the CIO. Their focus is usually split between routine tasks like patching software, configuring servers, and setting up laptops. As a result, security measures are often treated as secondary to more immediate business needs, such as sales. This leads to key safeguarding processes, such as multi-factor authentication, being neglected or dismissed as unnecessary barriers to productivity. In these companies, cybersecurity compliance is more of a box-ticking exercise rather than an integral part of the business strategy.

As an organisation grows, its technology estate, workforce, and overall attack surface expands. This makes it an increasingly attractive target for malicious threat actors. With more employees, customers, suppliers, processes, and applications, exploitable vulnerabilities grow. This heightened risk prompts cybersecurity to become a top board priority, often leading to the appointment of a dedicated cybersecurity leader or CISO.

Initially, the role is mostly technical, with the CISO working closely with the development team rather than designing and implementing an organisation-wide cyber strategy. Simultaneously, rising compliance demands require the addition of formal monitoring and auditing solutions. To counteract these risks, IT and security teams must establish robust communication channels with mutually agreed objectives to ensure that no security gaps are left.

As businesses progress on their cybersecurity journey, leaders must be empowered to withdraw from routine technical tasks. Instead, it is a priority to adopt a broader focus on detecting, defending, and recovering from attacks. This shift enables the CISO not only to oversee the implementation of security controls and processes across the company, but also to influence wider business decision-making by embedding security principles into existing and new processes.

At this stage, leadership must stand behind the CISO and support the rollout of essential cybersecurity projects. This usually facilitates a change in mindset across all teams, ensuring that security becomes a central consideration rather than an afterthought.

When a business reaches this level of maturity, strategic cybersecurity planning becomes a fixture at board-level discussions. The CISO works in partnership with the leadership team to address cybersecurity risks, resilience, and recovery, while simultaneously establishing the organisation’s risk threshold levels. Policies are then implemented to ensure operations remain within these agreed thresholds. Regular analysis is also conducted to monitor any changes in the risk profile.

The company is now also well positioned to evaluate the benefits and drawbacks of emerging technologies, integrating cybersecurity as a fundamental element of its overall strategic planning.

In this final stage of maturity, security is inherent in the design of the business and a CISO will be a strong advocate of this at board level. All employees adhere to the strict security protocols as standard practice and cybersecurity is no longer considered supplementary. It underpins every silo of operation. Dedicated security teams are highly skilled in the event of an incident, and the organisation has the right technologies and processes to ensure that resilience and recovery targets are met.

With these capabilities, organisations can position themselves as cyber mature with the confidence that they can protect, defend, and recover from any potential attacks.

So, how can businesses strengthen their cyber maturity and resilience? A key factor is using security tools that provide early warnings for risks (such as insider threats) through predefined processes, roles, and incident response plans. It’s also essential to have a secure, stable dark site or secondary backup solution to store unchangeable copies of critical data, while regularly testing cyber recovery procedures ensures they stay effective and relevant.

Ultimately, cybersecurity should be a shared responsibility across all teams, led by a well-supported CISO whose guidance is valued and actioned by leadership. With these steps in place, businesses can build stronger cyber maturity and be better prepared for future threats.