The recent Thycotic CISO Decisions survey – based on findings from more than 900 global chief information security officers and senior IT decision makers – found that boardroom investments in cybersecurity were most commonly made as the result of a security incident or fears of compliance failure.
Almost four in five (77%) organizations surveyed received boardroom approval for new security projects either in response to a cyber incident, at around three in five (59%) organizations, or through fear of an audit failure, at around three in ten (29%) organizations.
It would be easy to interpret these results to mean organizations are taking a reactive approach to cybersecurity – approving new investments in short timeframes in response to rapidly moving events. That would be a bad thing. To be effective, cyber security must not only react to past attacks and current compliance mandates but anticipate future threats and requirements. And that requires proactive security measures to be taken.
To see these boardroom cybersecurity investments as reactive, however, ignores the complexities of organizational decision making and the interplay of different stakeholder groups. These complexities were examined in some detail in our survey, and the results were quite surprising, including noticeable differences in approaches in different parts of the world.
While CISOs and IT decision makers may well rely on urgent factors to gain board approval for their cybersecurity investment decisions, this doesn’t tell the entire story. The reasons that boards approve investments are quite different to the decision-making process undertaken by CISOs and IT decision makers themselves. These involve a considerable degree of planning and analysis in all of the countries surveyed.
Fear of compliance fines
The fear of compliance fines is certainly a significant factor in convincing executive boards to invest in cyber security. EU GDPR, for example, has seen several companies receive fines running to millions of Euros resulting from a data breach. Globally 23% of CISOs and IT decision makers surveyed use this fear factor as an effective motivator to help convince their boards to invest in cybersecurity. Another 20% use best practices and standards to persuade boards, with 20% focusing more on return on investment (ROI) by showing how cyber security can contribute to business value.
If we look at decision makers in Australia and Singapore/Malaysia, they are much more likely to prioritize ROI analysis – chosen by 28% and 27% of respondents respectively – as the most effective strategy in persuading boards to invest. The second most effective strategy in these APAC countries – cited by 20% of respondents in Australia and 26% in Singapore/Malaysia – was the use of a risk framework such as NIST. So, it seems, rather than using fear to put pressure on boards to approve their cybersecurity recommendations, they often prefer to rely on facts.
Before purchasing new cybersecurity products, survey respondents also highlighted their most important sources of informed decision-making. According to the research, CISOs and other senior IT security decision-makers look most often to their peers for guidance. Benchmarking with other companies in their industry was the top method in decision making with 46% of respondents gauging their efforts in comparison with what their colleagues are doing. Another 43% look to industry analysts as their most important source of information. A significant 39% rely on the opinion of their peers as most important to their decision-making process, and 39% rely on existing relationships with vendors.
Benchmarking with industry peers
One of the more interesting aspects of this research is the differences noted between the nine countries involved in the survey. The UK (48%), New Zealand (40%), Spain (48%), and Singapore/Malaysia (59%), see benchmarking with industry peers as the top source of information in making informed decisions, whereas the USA (45%) and Australia (47%) lean toward industry analysts such as Gartner or Forrester for direction.
Regardless of the country, CISOs and IT decision makers make their decisions based on facts – what is proven in their industry or evaluated highly by industry analysts – rather than the fear of a cyber incident or audit failure. As we have seen, however, this is not necessarily how they inform their case for board-level approval.
For example, privileged access management (PAM) is a proactive cybersecurity measure rated highly by analyst firms like Gartner and Forrester. PAM is also building a solid presence in sectors such as finance, government and education, among others, and gaining strong peer recommendations. These factors make PAM an increasingly popular choice among CISOs and IT decision makers.
However, it may take a cyber incident or fear of audit failure to prompt final sign-off at board level. Once the decision is made, an effective PAM program will help defend against a range of future threats as well as help an organization accelerate cloud adoption – given that the most damaging incidents almost always rely on gaining control of privileged accounts.
COVID spurs cybersecurity investments
Overall, the positive news is that COVID-19 appears to have made it easier for CISOs and IT decision makers to get boardroom approval for cybersecurity investments that directly enable remote working and cloud adoption. Our survey found more than half (58%) of respondents say their organizations plan to add more security budget in the next 12 months.
Amid growing cyber threats and rising risks through the COVID crisis, survey respondents indicated that boards are listening and stepping up with increased budget for cybersecurity, with the overwhelming majority, 91% agreeing that the board adequately supports them with investment. And almost three in five believe that in the next financial year they will have more security budget because of COVID-19.
The reasons boards are making these investments may be reactive to current events, however, and this comes with the risk that they are not sustained in the long term. The widespread use of ROI analysis to support board decisions, however, is very good news. Rather than seeing cybersecurity investments as a cost related to security incidents and audits, considering ROI – and even better, demonstrating ROI – has the potential to turn this reactive mindset around.
Despite increased funding, CISOs and IT decision makers still face a challenge in how they communicate the reasons for cybersecurity investments to the business. Armed with positive ROI metrics, they would be much better placed to argue for cyber investments that are not only proactive in defending against new threats, but sustainable and with demonstrated benefits for the business as well.