Monday, 19th October 2020

Threat of fines focuses the mind

Threat of fines, not FUD, drives board decisions on cybersecurity spend.

Boardroom investments in cybersecurity are most commonly the result of an incident or fears of compliance audit failure, according to an independent global study. The research, commissioned by Thycotic, a provider of privileged access management (PAM) solutions for more than 10,000 organizations worldwide, examines what most influences the Board to invest in cybersecurity and the impact this has on CISO decision-making.

Based on findings from more than 900 CISOs/Senior IT decision-makers globally, the research found more than half, 58%, of IT security decision makers say their organisations plan to add more security budget in the next 12 months.

There are positive signs that Boards are stepping up with investment. More than three quarters (77%) of respondents have received Boardroom investment for new security projects either in response to a cyber incident in their organisation (49%) or through fear of audit failure (28%). With financial penalties for GDPR now totalling EUR 175 million, almost a quarter of respondents (23%) believe that compliance or threats of fines are the most effective way to persuade Boards to invest in cybersecurity.

COVID drives more security investment

Amid growing cyber threats and rising risks through the COVID crisis, CISOs report that boards are listening and stepping up with increased budget for cyber security, with the overwhelming majority, 91% agreeing that the Board adequately supports them with investment. Almost 3-in-5believe that in the next financial year they will have more security budget because of COVID-19.

CISO challenges still exist

However, CISOs have their work cut out to gain the Board’s support. Almost two fifths (37%) of participants’ proposed investments were turned down because the threat was perceived as low risk or because the technology had a lack of demonstrable ROI. One third (33%) believe senior management does not comprehend the scale of threat when making cyber security investment decisions.

CISOs think strategically but invest tactically

CISOs’ own approaches to buying decisions are forward looking as they try to keep up with industry developments and their sector peers. There are, however, signs that UK Boards are more risk averse than their US counterparts. Over half of UK decision makers (51%) describe their organisations as ‘in the pack’. By contrast nearly half of US respondents (47%) rate their organisations as pioneers.

An overwhelming majority (75%) say they want to try out innovative new tools. However, in practice, they are guided by their industry peers, with almost half (46%) benchmarking their buying decisions against other companies in their sector. This may lead CISOs to err on the side of proven known technology rather than trying something new.

“Our study clearly shows that before CISOs’ can pursue technology innovation they must first educate their stakeholders about the value of cybersecurity,” said James Legg, CEO at Thycotic. “Securing Boardroom investment requires them to strike a delicate balance between innovation and compliance.”

This balance is discernible in the way decision-makers describe their organization’s risk profile. Almost half of respondents view their organization as ‘in the pack’ (45%) and only a third consider their companies to be ‘pioneers’ (36%), embracing new technology advancements. Just 17% think their business has its finger on the pulse, prioritising investment according to the latest security threat.

“While boards are definitely listening and stepping up with increased budget for cyber security, they tend to view any investment as a cost rather than adding business value,” said Terence Jackson, CISO for Thycotic. “There are some encouraging signs, particularly in APAC where ROI is a leading factor in security investment decisions.”

“However, there is still some way to go,” he continued. “The fact Boards mainly approve investments after a security incident or through fear of regulatory penalties for non-compliance shows that cybersecurity investment decisions are more about insurance than about any desire to lead the field which, in the long run, limits the industry’s ability to keep pace with the cybercriminals.”
Industry data also indicates a positive trend in salary and job satisfaction over past three years,...
Highest priorities for IT teams are cybersecurity, cloud, data analytics and network infrastructure...
Analysis from Exonar has revealed that organisations across Europe have suffered GDPR fines to the t...
Comprehensive privacy risk assessment solution delivers the forensic ability to identify and measure...
A report published by the Council of Europe identifies a number of shortcomings in the protection of...
DomainTools has released its annual Cybersecurity Report Card in which security analysts, threat hun...
Industry veteran Ron Bennatan to join and lead Imperva’s Data Security business.
Publicis Sapient, the Digital Business Transformation consultancy, has launched its Data Collection...