Cesin barometer: CISOs continue to strengthen cybersecurity

Like every year, the Cesin (club of experts in information and digital security) publishes its annual barometer produced with Opinion Way on the cybersecurity of French companies. It was carried out with 282 members of the association (more than half of whom represent companies with more than 5,000 employees). The results show a certain continuity between 2020 and 2021, in a context still dominated by the health crisis and the constraints of teleworking.

On the state of threats in 2021, the survey shows that 54% of companies say they have suffered at least one attack. This is down slightly from the previous year. Which makes the club say that “the implementation of devices is bearing fruit”. With the crisis, the CISOs have raised the security cursors and acquired additional tools. The figures are quite eloquent: deployment of an EDR (+16 points compared to 2020), hardening of the Active Directory (+9 points). We also note that in the face of ransomware, more and more companies are adopting crisis management exercises (40%) and strengthening the security of backups (+10% compared to 2020). With the development of teleworking which continued in 2021, respondents accelerated the implementation of VPNs (91%), the use of multi-factor authentication (90%), as well as encryption solutions ( +7% compared to 2020). In total, companies have on average more than 10 cybersecurity solutions.

Rising budgets and tension on cyber insurance

This tooling and awareness-raising efforts have a cost, but CISOs benefit from an increase in budgets dedicated to security. The barometer notes an increase of 10 points on the share of the security budget between 5 and 10% (36% in 2021 against 26% in 2020) and 5 points for a share beyond 10% (8% in 2021 against 3% in 2020). Optimism is also essential for the year 2022 with 70% of respondents (+13 points compared to 2020). In the profile of security solution providers, companies no longer hesitate to use start-ups for 62% of them (compared to 55% in 2020). In addition, there is a strong expectation for the development of trusted clouds (57%). Zero trust (30%) and SASE (13%) approaches continue to make slow progress in security policy design.

Last salient element of this survey, cyber-insurance. In 2020, this subject was already a source of tension among Cesin members. This year two points annoy CISOs: the use of rating agencies and questionnaires. On the first point, 54% believe that using this type of service is a bad thing. For a large majority of respondents, the established results are not completely reliable and the resulting scores are skewed (79%). The other point lies in the cyber-insurers’ questionnaires, which are increasingly long and intrusive. Some Cesin members plan to send a questionnaire to their cyber-insurer in turn. In any case, many companies are reluctant to renew their contract, faced with the exponential rise in prices, the reduction in coverage and the unattainable demands of insurers.