Brian Sims
Editor
Brian Sims
Editor
BOARDROOM INVESTMENTS in cyber security are most commonly the result of an incident or fears of compliance audit failure. That’s according to an independent global study commissioned by Thycotic, the provider of privileged access management solutions for more than 10,000 organisations worldwide.
The study examines what most influences the Board to invest in cyber security and the impact this has on Chief Information Security Officer (CISO) decision-making processes. Based on the findings of interviews conducted with more than 900 CISOs/senior IT decision-makers globally, the research finds that more than half (58%) of IT security decision-makers say their organisations plan to add more security budget in the next 12 months.
There are positive signs that Boards are stepping up to the mark with investment. More than three-quarters (77%) of respondents have received Boardroom investment for new security projects either in response to a cyber incident in their own organisation (49%) or through fear of audit failure (28%).
With financial penalties for infringements of the General Data Protection Regulation now totalling EUR 175 million, almost a quarter of respondents (23%) believe that the need for compliance or the threat of fines being imposed are the most effective ways in which to persuade Boards to invest in cyber security.
COVID drives security investment
Amid growing cyber threats and rising risks realised by the COVID crisis, CISOs report that Boards are listening and stepping up with increased budget for cyber security, with the majority (91%) agreeing with the survey premise that the Board adequately supports them with investment. Almost three-in-five believe that, in the next financial year, they will have more security budget due to COVID-19.
However, CISOs have their work cut out to gain the Board’s support. Almost two-fifths (37%) of participants’ proposed investments were turned down because the threat was perceived as being low risk or due to the belief that the technology involved had a lack of demonstrable return on investment. One-third of respondents (33% to be exact) believe that senior management doesn’t comprehend the scale of the threat posed in the digital/online environment when making cyber security investment decisions.
CISOs’ own approaches to buying decisions are forward looking as they try to keep up with industry developments and their sector peers. There are, however, signs that UK Boards are more risk averse than their US counterparts. Over half of UK decision-makers (51%) describe their organisations as being ‘in the pack’. By way of contrast, nearly half of all US respondents (47%) to the survey rate their organisations as pioneers.
An overwhelming majority (75%) say they want to try out innovative new tools. However, in practice they’re guided by their industry peers, with almost half (46%) benchmarking their buying decisions against other companies in their sector. This may lead CISOs to err on the side of proven known technology rather than trying something new.
Educating stakeholders
“Our study clearly shows that, before CISOs can pursue technology innovation, they must first educate their stakeholders about the value of cyber security,” observed James Legg, CEO at Thycotic. “Securing Boardroom investment requires CISOs to strike a delicate balance between innovation and compliance.”
This balance is discernible in the way in which decision-makers describe their organisation’s risk profile. Almost half of respondents view their organisation as being ‘in the pack’ (45%), while only a third consider their companies to be ‘pioneers’ (36%) by dint of openly embracing new technology advancements. Just 17% think their business has its finger on the pulse, prioritising cyber-focused investment according to the latest security threat.
“While Boards are definitely listening and stepping up with increased budget for cyber security, they tend to view any investment as a cost rather than adding business value,” explained Terence Jackson, CISO for Thycotic. “There are some encouraging signs, particularly so in the APAC where return on investment is a leading factor in security investment decisions.”
Jackson continued: “However, there’s still some way to go. The fact that Boards mainly approve investments after a security incident or through fear of regulatory penalties being imposed for non-compliance shows that cyber security investment decisions are more about insurance than any great desire to lead the field which, in the long run, undoubtedly limits the industry’s ability to keep pace with the cyber criminals.”