A new survey of global CISOs and IT decision makers from access management firm Thycotic, shows that board decisions about cybersecurity spending are decidedly reflexive, with the primary drivers being fear of regulatory penalties or the costs of a repeat of a prior breach incident.
At a glance that would seem to be very obvious and sensible; companies are prioritizing spending on measures mandated by law and established threats. But what one might miss is that this is taking place within the context of a cyber threat landscape that is always evolving at incredible speeds, requiring measures that are much more proactive than reactive to effectively secure networks; the results of this survey indicate that organizations may be lagging behind in responding to these various stimuli rather than getting out ahead of emerging issues.
Board decisions are favoring improved funding, but challenges remain
This is not to suggest that organizations are continuing to ignore or downplay cybersecurity as has been the trend in years past. 91% of the survey field, which was composed of 908 senior IT security respondents from organizations around the world, felt that their Boards were adequately funding cybersecurity operations and 58% believed that next year’s annual budget would be increased. Respondents saw the COVID-19 pandemic as a major driver of increased cybersecurity spending.
The challenge for CISOs is not so much in acquiring funding, but in what the cybersecurity spending is focused on and what tools the money can be used for. Boards have developed a general willingness to invest in online and internal network security, with 77% of respondents having seen recent board decisions to invest in new projects. However, those projects are mostly either a response to a security incident that already occurred in the organization (49%) or because of an audit failure (28%).
Board decisions lean away from investing in measures to head off newer or “unproven” threats. Though 75% of CISOs say they are looking to implement new security technologies, 37% of proposed investments were turned down because the board did not feel a risk was serious enough or that a new technology had demonstrated enough return-on-investment potential. 33% of the respondents felt that senior management still did not have a good grasp on the scale of cyber threats when making these investment choices, and 46% said that benchmarking of peers was a significant factor in board decisions about cybersecurity spending.
Most CISOs also do not see themselves as being on the leading edge of security technology. Only 36% described themselves as “pioneers” in this sense, and a mere 17% felt that their organization was adequately keeping up with new security developments. 50% also say that when the company does invest in new security technologies, they never wind up getting full utilization.
More efficient cybersecurity spending
The Thycotic survey observes that 92% of responding CISOs have a clear understanding of what specific impact the organization’s cybersecurity spending will have. So why is it that a full 50% of them end up being abandoned before being fully integrated? Thycotic suggests that too many of these new solutions are too complex to be handled properly by all of the elements on the network, or that they simply do not integrate well with legacy technologies.
Thycotic’s first recommendation to CISOs is to implement a Privileged Access Management (PAM) program with “cloud ready” functionality; not surprising given that is exactly what the firm sells. But the survey conclusions also provide some more generally useful advice about cybersecurity spending.
The survey results indicate that the current primary deciding factor when purchasing a new security technology is that it solves an immediate problem. In addition to rapid “time to value,” Thycotic suggests an added focus on self-sufficiency and technical support to reduce the chances of abandonment due to unforeseen or irreconcilable network problems.
Thycotic also suggests a “compliance bias” that selects for software solutions that do not add to the workload of the security team, managers and compliance personnel. Out-of-the-box reports that are designed to satisfy auditors are a prime feature to look for.
In terms of influencing board decisions about security budgets, Thycotic also suggests focusing on the idea that compliance with regulatory requirements does not automatically correlate with a sound security posture. New acquisitions should also be framed in terms of business value to offset the natural tendency of Boards to view cybersecurity spending as nothing more than an added cost, as Thycotic CISO Terence Jackson observes: “While boards are definitely listening and stepping up with increased budget for cybersecurity, they tend to view any investment as a cost rather than adding business value. There are some encouraging signs, particularly in APAC where ROI is a leading factor in security investment decisions.” Joseph Carson, chief security scientist at Thycotic, adds that security teams should have a business financial risk analyst that can translate the security risk concept into a business risk framing that speaks more to the common language of board decisions.