Skip links

New Study Finds Major Challenges and Opportunities in How Companies Manage Their Security Programs


New Study Finds Major Challenges and Opportunities in How Companies Manage Their Security Programs

After years of unprecedented change, study uncovers how security leaders use data and insights to improve the way they measure, optimize and communicate their security programs

Menlo Park, California, May 10, 2022 — Blue Lava, creator of the first Security Program Management (SPM) platform built by, for, and with chief information security officers (CISOs), today released findings from its joint study with Aimpoint Group titled Security Program Management: Priorities and Strategies which explores how security leaders measure and manage security programs and communicate priorities to executives and boards. The report offers valuable insights into the broader understanding of security program management practices, as well as advanced capabilities that some organizations are deploying, including automating operational tasks to free up time for security teams to work on strategic activities.

According to the new study, security leaders — despite spending 41-80 hours per meeting preparing to meet with management — continue to lack tools to automate portions of this activity which would free up hundreds of hours of time annually for CISOs and senior security experts. Today, security leaders have an unprecedented degree of visibility and influence in boardrooms – at the price of frequent scrutiny. A large majority of security leaders now meet with their board of directors quarterly (37.3%) or monthly (39.6%) to communicate security priorities and investment needs.

“The study confirms that while frequent interaction between security leaders and boards of directors has become the norm, CISOs struggle to communicate their risks, progress, needs, and priorities to top executives and boards of directors,” said Demetrios Lazarikos (Laz), 3x CISO and Co-Founder, Blue Lava. “We’re seeing more and more accountability at the Board Level for Cybersecurity initiatives — the recent SEC Guidelines on Cybersecurity is a key initiative that supports this effort.

The report includes detailed information about how often security leaders assess the maturity and effectiveness of their security programs. Key takeaways from the study include:

  • Organizations that today assess the maturity and effectiveness of their security programs only annually, or to meet the needs of audits and special events, should move to more frequent or even continuous updates.
  • Security leaders agree that there are many areas of security program management where improvements would strengthen security and enhance the effectiveness of security teams. 
  • Organizations can obtain the most value from upgrading their ability to collect security data efficiently, to use peer data for benchmarking program performance, to define and implement a security roadmap, to identify, prioritize, and mitigate risks, and to align their security program with business objectives.

This survey was developed by Blue Lava and AimPoint Group. It was conducted in December 2021 in the United States, reaching 268 CISOs, CIOs, and senior security and risk managers, within organizations of 500 or more employees. Responses about these and other standards would differ in other parts of the world.

Read Security Program Management: Priorities and Strategies here.

About Blue Lava

Blue Lava manages the business of security. Built by a team of tenured security operators, Blue Lava is the industry’s first security program management platform, guiding CISOs to measure, optimize, and communicate their programs with confidence and ease. Blue Lava has built long-term relationships with customers, earning the trust of executive teams across various industries, from small businesses to global enterprises.