A recent research report from Moody’s Investors Service observes that organizations tend to have upped their cybersecurity investments across the board, but that the additional spending is not necessarily leading to better outcomes or more thorough defensive perimeters.
Organizations are almost universally onboarding basic cybersecurity defenses and over half now hold cyber insurance, but spending on “advanced” and “robust” defensive solutions continues to lag. 93% of organizations now have a dedicated cybersecurity manager in place, but the frequency and depth of their interaction varies greatly between companies.
“Basic” cybersecurity investment up, companies still hesitant to spend on “robust” systems
Cybersecurity governance appears to be on the upswing along with general spending, with the majority of organizations now having security management and executives directly interface about IT defenses and remediation plans. However, there are some shortfalls in this arrangement. Communication is better in some organizations than in others, and in many cases stakeholders are being cut out of the loop with cyber episodes reported to boards of directors twice as often as they are to the public.
The data shows that the closer the reporting structure between cyber managers and executives, the more cybersecurity investment tends to occur. Investment in advanced defenses also correlates with the presence of relevant cyber expertise on the board of directors. And the presence of defined cyber objectives in a CEO’s compensation package correlates with tightened reporting structures. But despite these relationships, the actual role and importance of a cyber manager varies greatly from company to company.
93% of all organizations have a cyber manager, and in some specific industries (such as financial services) that number rises as high as 98%, but only about 50 to 70% of these (depending on industry) are reporting directly to the C-suite. Even fewer (33% to 59%) report directly to CEOs. The survey sees most organizations having cyber managers report to CIOs or CTOs instead, which would seem a natural arrangement; however, it finds that this can also create certain conflicts of interest. CIOs and CTOs are beholden to budget concerns just as much as they are security in many organizations, and situations in which a more generalist CSO is in charge of all security can mean that there is less technical expertise at the executive end of this equation.
How many boards do have at least one director with some level of cybersecurity expertise? This is another area that could use improvement as it relates to cybersecurity investment knowledge. Fewer than 50% of organizations have a director with this experience on the board, though it tops 50% in the financial services industry. The median of cyber experience on the board in the infrastructure and public categories sits at 0%. Of the companies that do have this expertise on their boards, a little less than half of the time it is derived from hands-on experience.
Public disclosure suffers from lack of transparency
The report notes that public disclosure of cyber incidents is not a transparent process, and that this is another area where organizations vary wildly in their reporting procedures. There are no universal standards, and most industries (save public organizations) are hesitant to voluntarily report the public: only 33% of financial services companies have done this in the past two years, and only 9% of infrastructure companies. On the other end, industries vary with 30% to 50% reporting an incident to the board of directors during that time.
The report finds that this is generally down to regulation setting the internal tone, because categories of business that have special reporting rules show higher rates of public disclosure.
86% of respondents said that they have had at least one full-time cyber specialist on staff since 2019, and an additional 4% plan to add one by the end of 2022. Team size has also consistently increased since 2018. Overall cybersecurity investment jumped 15% in 2019 and another 17% in 2020. And though there is still substantial room for growth (particularly in the public sector), the number of organizations listing cybersecurity as a discrete budget item has also increased over this period.
While there is clearly an increase in cybersecurity investment across the board, it is tilted toward basic defensive measures: vulnerability scans, development of incident response plans, implementation of organization-wide multi-factor authentication, weekly backup systems and regular cyber risk assessments. None of these are bad things, but there is a tendency for most sectors to ignore advanced methods, with some particular standouts. The public sector lags all other organizations in nearly every method that was surveyed, and extremely few (only about 10%) make use of penetration testing. The financial services industry is the best by far about adopting advanced defenses.
Some of the cybersecurity investment increase is also going toward standalone cyber insurance; 65% of public sector organizations carry specialized cyber coverage, as do 57% of financial services companies. No industry is below 46% in this category.