TREND 3
The Lack of Controls Visibility and the Rise of Assurance
With so much data at their fingertips, now is the ideal opportunity for security leaders to pivot to a more proactive approach to cybersecurity.
Only 36% of CISOS are confident enough in their data that they're using it for all strategic decision making.
Security Leaders Peer Report, 2023
Despite one-third of a security teams time almost exclusively dedicated to reporting (according to security leaders in 2023 ), one of the biggest concerns for a new-in-role CISO is receiving an inaccurate audit of the company’s security posture (cited by over half of respondents in 2024). And in 2023, less than half (43%) of CISOs were highly confident in their own ability to continuously evaluate security metrics.
There is a recognition amongst peers that many existing posture assessments are inaccurate, driven by a lack of visibility and poor data quality.
In fact, in 2026 61% of security leaders agree that they lack real-time visibility into whether controls are working effectively. An additional 61% state that their existing controls environments are too complex to manage effectively, with two thirds (66%) complaining their existing controls testing and assurance approach is too manual and time-consuming.
It suggests that despite the time dedicated to data analysis and reporting, security leaders are struggling to translate data into actionable insights that inform decision-making and business risk assessments.
In 2023, just 36% of security leaders were confident enough in their security data that they were using it for all strategic decision making – while one fifth (21%) were regularly using additional inputs in their analysis due to data uncertainty.
6 out of every 10 CISOs lack real-time visibility of controls effectiveness
Security Leaders Peer Report, 2026
Case study The importance of adding the 'why' to your data
When we’re going to educate people on the data and we say “Hey, here’s the problem” or “Here’s your trends”, a lot of the data we’re giving people isn’t explaining that ‘why’. We’re just saying “you didn’t patch this” or “you put too many weaknesses into your code”. We don’t say why that’s happening. A lot of tools don’t support that root cause analysis capability natively. And so, we have to think through that data and try to figure out what’s trending.
Just thinking about a recent project, it was illuminating to me to see that it took us 24 days until we discovered 100% of our vulnerabilities. So, if I’m expecting people to patch something in 15 days but it takes us 20 days to find them all, there’s something broken in that process. And now once we’re able to analyze that data and start to root cause analysis the problem, now we can start to effect change.
Shawn M Bowen, speaking in 2023
CISO, ex- World Fuel Services
CISO priorities in 2024; What are the key challenges for the year ahead?
Watch the webinar
This hinders communication with stakeholders and presents a major challenge for CISOs over the coming years – especially in the wake of tighter and more stringent regulation.
In response, some are shifting their assessment approach by establishing controls assurance functions to provide continuous visibility into their security posture and assess controls effectiveness. Refining raw data with business context gives these organizations the confidence that controls are deployed, functioning as intended and meeting regulatory standards.
Establishing a unified view of an organization’s security posture that is backed by trusted, contextualized data will become a number one priority for CISOs before 2030. Without continuous visibility, organizations struggle to identify and prevent control failures—one of the leading causes of security breaches.
TL;DR What this means for security leaders
- Preventing breaches requires shifting to a proactive approach for posture management and away from a reactive response to control failures
- Security leaders currently struggle with limited visibility and context, making it difficult to turn data into actionable insights for proactive security.
- When designing a CCM program, security leaders must enrich control data with business context to provide insights that inform decision-making and prioritization.
