“Threat of fines drives Board decisions on cyber security spend” asserts Thycotic

Based on the comments received from more than 900 CISOs/senior IT decision-makers, the research reveals that more than half (58%, in fact) of IT security decision-makers’ host organisations are planning to add more security budget in the next 12 months.

There are positive signs that Boards of Directors are stepping up with investment. More than three-quarters (77%) of respondents have received Boardroom investment for new security projects either in response to a cyber incident in their organisation (49%) or through fear of audit failure (28%).

With financial penalties for General Data Protection Regulation infringements now totalling 175 million Euros, almost a quarter of respondents (23%) believe that compliance or threats of fines are the most effective way in which to persuade Boards to invest in cyber security measures.

COVID drives security investment

Amid growing cyber threats and rising risks through the COVID crisis, CISOs report that Boards are listening and stepping up with increased budget for cyber security, with the overwhelming majority (91%) agreeing that the Board adequately supports them with investment.

Almost three-in-five believe that, in the next financial year, they will have more security budget due to COVID-19. However, CISOs have their work cut out to gain the Board’s support. Almost two-fifths (37%) of participants’ proposed investments were turned down because the threat was perceived as low risk or due to the belief that the technology involved had a lack of demonstrable return on investment. One third (33%) of respondents to the study believe senior management doesn’t actually comprehend the scale of the threat posed when making cyber security investment decisions.

CISOs’ own approaches towards buying decisions are forward looking as they try to keep up with industry developments and their sector peers. An overwhelming majority (75%) say they want to try out innovative new tools. However, in practice, they appear to be guided by their industry peers, with almost half (46%) benchmarking their buying decisions against other companies in their sector. This may lead CISOs to err on the side of proven known technology rather than trying something new by way of a solution.

Educating stakeholders

“Our study clearly shows that, before CISOs can pursue technology innovation, they must first educate their stakeholders about the value of cyber security itself,” said James Legg, CEO at Thycotic. “Securing Boardroom investment requires them to strike a delicate balance between innovation and compliance.”

This balance is discernible in the way that decision-makers describe their organisations’ risk profiles. Almost half of respondents view their organisation as ‘in the pack’ (45%), while only a third consider their companies to be ‘pioneers’ (36%) embracing new technology advancements. Just 17% believe their business has its finger on the pulse, prioritising investment according to the latest security threat.

“While Boards are definitely listening and stepping up with increased budgetary spend for cyber security, they tend to view any investment as a cost rather than a decision that will add business value,” explained Terence Jackson, CISO for Thycotic. “There are some encouraging signs, particularly so in the APAC region where return on investment is quite clearly a leading factor in security investment decisions.”

Jackson continued: “That said, there’s still some way to go. The fact that Boards of Directors mainly approve investments after a security incident or through fear of regulatory penalties for non-compliance shows that cyber security investment decisions are more about insurance than about any desire to lead the field which, in the long run, limits the industry’s ability to keep pace with the cyber criminals.”