Board decisions on cybersecurity spending are slowly improving following the impact of regulatory fines and COVID-19.
According to research by Thycotic surveying 908 senior IT security decision makers working within organizations with more than 500 employees, 58% plan to add more security budget in the next 12 months.
Amid growing cyber threats and rising risks through the COVID crisis, CISOs report that boards are listening and stepping up with increased budget for cybersecurity, with 91% agreeing that their board adequately supports them with investment.
In an email to Infosecurity, Joseph Carson, chief security scientist at Thycotic, said he believed the retro-fixing of security to remote working tools was “a path and direction most organizations have been going down, however it was always a lower priority.”
He claimed COVID-19 has accelerated the investment into both cloud and remote working budgets, and this includes the need for secure remote access and the ability to access from any location. “Having a CISO on the board is helping ensure technology that supports remote working environments are also secure by design,” he said.
Terence Jackson, CISO for Thycotic said while boards are definitely listening and stepping up with increased budget for cybersecurity, they tend to view any investment as a cost rather than adding business value. “However, there is still some way to go,” he continued. “The fact boards mainly approve investments after a security incident or through fear of regulatory penalties for non-compliance shows that cybersecurity investment decisions are more about insurance than about any desire to lead the field which, in the long run, limits the industry’s ability to keep pace with the cyber-criminals.”
The research also showed that 77% of respondents have received boardroom investment for new security projects either in response to a cyber incident in their organization (49%), or through fear of audit failure (28%).
Asked if the fear of regulatory fines is an effective way to win budgets, Carson said: “It really depends on how the risk of compliance fines are communicated to the board. If it is done in a way that shows the financial exposure, it highlights a real business risk that must be reduced. The CISO needs to be able to speak the same language as the board and compliance exposure is a way that the CISO can effectively show tangible financial risks.”
However, 37% of participants’ proposed investments were turned down because the threat was perceived as low risk, or because the technology had a lack of demonstrable ROI. One-third (33%) believe senior management does not comprehend the scale of threat when making cybersecurity investment decisions.
Asked if this is proof that boards are able to understand cybersecurity if they are able to determine risk levels, Carson said he believed boards are improving at understanding risks, however this can also be related to the problem that security teams struggle to relate those security investment into business risk or how it helps the business ROI.
“The main area for security improvement is always going to be how to convey business ROI from security investments and all security teams need a business financial risk analyst who can convert security risk into business risk,” he said.