Survey: CISOs Redefining Security Strategy and Budget in Light of Recent Data Breaches | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: CISOs Redefining Security Strategy and Budget in Light of Recent Data Breaches

November 2, 2015
by Heather Landi
| Reprints

Eighty-eight percent of CISOs and CIOs report that their security budgets have increased in response to high-profile data breaches and many are increasingly using frameworks to define cyber risk and prioritize investment, according to a recent survey.

The Darwin Deason Institute for Cyber Security at Southern Methodist University in Dallas conducted a survey, funded by IBM, in an effort to understand how private sector firms identify, prioritize and invest to manage cybersecurity risks.

In the report, Identifying How Firms Manage Cybersecurity Investment, researchers outline how they interviewed 40 executives with the majority being chief information security officers (CISOs) and others were CIOs and other high-ranking roles. And the survey participants selected were primarily from large firms across four industries – five healthcare firms, eight financial firms, eight retail and 11 government firms. The reminder of the respondents came from other industries, such as energy, automotive and higher education.

Due to the increasing threat to healthcare information security and recent high-profile cybersecurity breaches, cybersecurity risk has now become a board-level concern for many organizations. Of the respondents, 81 percent reported that their upper-level management is supportive of their cybersecurity efforts and 85 percent reported increasing levels of support.

“When asked why there was such a high level of support, most interviewees mentioned recent breaches that have been heavily covered in the news. While breaches have sensitized senior management to the need for improved cybersecurity in the past, the recent breaches have for some reason been attributed as a tipping point for high-level support from the great majority of non-government,” the researchers wrote.

As far as cybersecurity budgets, 88 percent of survey participants reported that their security budgets have increased. Many CISOs and CIOs reported that getting budget for cybersecurity efforts is not as much a challenge as is resourcing cybersecurity projects.

And, finding qualified cybersecurity personnel is a key challenge for many CISOs and CIOs who responded to the survey.

The CISOs and CIOs who participated reported that frameworks play a central role in defining risk perception and investment, and almost every cybersecurity director interviewed reported using a framework to define their firm’s cybersecurity status and prioritize investments, the survey researchers reported.

These frameworks ranged from well-known options such as ISO and National Institute of Standards and Technology (NIST) to homegrown concepts that might be some combination of existing or custom infrastructures.

Of the firms surveyed, the respondents who reported they were spending appropriately on cybersecurity (as opposed to too little or too much) all had a cybersecurity framework.

“CISOs found that their using frameworks aided their efforts to develop an understanding in senior leadership of the business consequences of insufficient cybersecurity,” the researchers stated.

When asked the biggest drivers of cybersecurity investment, perceived risk reduction was the most common response, followed by compliance. Only one respondent selected cost reduction as the top driver of cybersecurity investment.

Respondents also were asked how they identify risks and their prioritization approaches and the top two responses were best practices and frameworks, specifically NIST or other formal IT-to-business risk mapping process. Other to responses included “past attacks on your firm” and “past attacks on other firms,” as well as quantitative measures, although most respondents who selected quantitative measures ranked it as only the third most important factor.

The survey results also found that true quantitative metrics to guide investment decisions has been very rare and only a few subjects mentioned using a numeric return-on-investment metric as a way of prioritizing investments.

“While we have not seen widespread use of ROI calculations in deciding how to invest in security, many CISOs do think about risk in qualitative terms in a way that guides investment decisions. They are acutely aware of the many security risks reported by the media and in trade reports, and they take individual decisions about which threats are most significant to their firm,” the researchers wrote. “Regardless of which threats are the top priority, the CISOs focus their efforts and budgets on selecting the best countermeasures to mitigate the top risks. That the calculus lacks the precision used by traditional ROI calculations could actually be interpreted as a sign of growing sophistication: The old ROI calculations required fudging numbers in a way that might placate management but did not actually help guide the CISO's decision-making process.”

According to the researchers, one of the more promising findings of the survey is the level of information sharing regarding cybersecurity. The respondents indicated that they received threat intelligence from third-party threat intelligence providers and discussed cybersecurity approaches, applications and devices with colleagues.

The researchers also identified a number of CISO “mavericks” who stood out as exceptional in their approach to cyber risk management.  For example, the CISO of one firm established a cybersecurity framework by the attack vectors the firm and industry were seeing.

“The CISO explicitly wanted to shift the risk organization culture from a compliance and governance centric focus to much greater primary focus on deep defensive tooling and skills with deployment consulting,” the researchers wrote.

Get the latest information on Staffing and Professional Development and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

AMIA Warns of Tax Bill’s Impact on Graduate School Programs in Informatics

Provisions in the Republican tax bill that would count graduate student tuition waivers as taxable income would have detrimental impacts on the viability of fields such as informatics, according to the American Medical Informatics Association.

Appalachia Project to Study Relationship Between Increased Broadband Access, Improved Cancer Care

The Federal Communications Commission and the National Cancer Institute have joined forces to focus on how increasing broadband access and adoption in rural areas can improve the lives of rural cancer patients.

Survey: By 2019, 60% of Medicare Revenues will be Tied to Risk

Medical groups and health systems that are members of AMGA (the American Medical Group Association) expect that nearly 60 percent of their revenues from Medicare will be from risk-based products by 2019, according to the results from a recent survey.

83% of Physicians Have Experienced a Cyber Attack, Survey Finds

Eighty-three percent of physicians in a recent survey said that they have experienced some sort of cyber attack, such as phishing and viruses.

Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.