Chief information security officers (CISOs) and other IT executives have become more proactive in their approach to cybersecurity investment and risk management, according to a new study.
“Over the past couple of years the landscape has changed dramatically,” researchers at Southern Methodist University’s Darwin Deason Institute for Cyber Security found.
“Cyber risk is now a board-level concern, and everyone is sensitive to cybersecurity.”
The researchers surveyed executives in the public and private sectors and found increasing support for greater investment in cybersecurity, due in large part to news coverage and greater awareness of cyber attacks and the risks associated with those attacks.
The survey found:
- 88 percent of respondents have seen security budgets have increased.
- More than 80 percent of those interviewed have broad and increasing support among senior-level management and corporate boards for their cybersecurity efforts.
Organizations are shifting from a compliance-based approach to cybersecurity to a risk-based approach and are relying on security frameworks to guide their strategy, according to the study, Identifying How Firms Manage Cybersecurity Investment.
“Using these frameworks provides a platform for CISOs to make an understandable, compelling case for specific cybersecurity products and operations,” Deason Institute Principal Investigator Tyler Moore said.
Federal agencies rely on the cybersecurity framework developed by the National Institute of Standards and Technology, the survey found.
“Companies are realizing that simply checking the box for compliance requirements is no longer a sufficient security strategy,” said Bob Kalka, vice president, IBM Security, which sponsored the study.
One of the shortcomings of the checkbox approach was that it did not lend itself to thinking critically about the cyber risks faced by an organization, the study found.
“The checkbox approach achieved compliance, but did not ensure risks were…properly managed. The security frameworks commonly used today invite executives to think rigorously about their organization from a risk perspective, and their widespread use indicates a general maturation of cyber risk management,” according to the study.
Finding personnel with the appropriate skills remains a challenge for IT executives, according to the survey.
Moore said the lack of qualified, available cybersecurity professionals creates its own set of problems.
“In some cases, CISOs say their senior management wants to fund cybersecurity measures more quickly than they can staff them,” he said. “In other cases, senior management is hesitant to fully fund proposed cybersecurity projects because they fear the CISO doesn’t have the personnel available to implement them.”
While private sector IT executives responded that IT budgets have increased, Federal IT personnel responded that budgets for cybersecurity have remained the same, despite high-profile breaches like the one at the Office of Personnel Management that resulted in the theft of data of 21.5 million people.
The appropriations process and arcane procurement rules likely will have to change before Federal IT executives have the ability to purchase cybersecurity tools that allow agencies to respond to new cyber threats quickly, researchers found.
Read the study here. SMU also prepared a blog about the study here.