Eighty-eight percent of CISOs and CIOs report that their security budgets have increased in response to high-profile data breaches and many are increasingly using frameworks to define cyber risk and prioritize investment, according to a recent survey.
The Darwin Deason Institute for Cyber Security at Southern Methodist University in Dallas conducted a survey, funded by IBM, in an effort to understand how private sector firms identify, prioritize and invest to manage cybersecurity risks.
In the report, Identifying How Firms Manage Cybersecurity Investment, researchers outline how they interviewed 40 executives with the majority being chief information security officers (CISOs) and others were CIOs and other high-ranking roles. And the survey participants selected were primarily from large firms across four industries – five healthcare firms, eight financial firms, eight retail and 11 government firms. The reminder of the respondents came from other industries, such as energy, automotive and higher education.
Due to the increasing threat to healthcare information security and recent high-profile cybersecurity breaches, cybersecurity risk has now become a board-level concern for many organizations. Of the respondents, 81 percent reported that their upper-level management is supportive of their cybersecurity efforts and 85 percent reported increasing levels of support.
“When asked why there was such a high level of support, most interviewees mentioned recent breaches that have been heavily covered in the news. While breaches have sensitized senior management to the need for improved cybersecurity in the past, the recent breaches have for some reason been attributed as a tipping point for high-level support from the great majority of non-government,” the researchers wrote.
As far as cybersecurity budgets, 88 percent of survey participants reported that their security budgets have increased. Many CISOs and CIOs reported that getting budget for cybersecurity efforts is not as much a challenge as is resourcing cybersecurity projects.
And, finding qualified cybersecurity personnel is a key challenge for many CISOs and CIOs who responded to the survey.
The CISOs and CIOs who participated reported that frameworks play a central role in defining risk perception and investment, and almost every cybersecurity director interviewed reported using a framework to define their firm’s cybersecurity status and prioritize investments, the survey researchers reported.
These frameworks ranged from well-known options such as ISO and National Institute of Standards and Technology (NIST) to homegrown concepts that might be some combination of existing or custom infrastructures.
Of the firms surveyed, the respondents who reported they were spending appropriately on cybersecurity (as opposed to too little or too much) all had a cybersecurity framework.
“CISOs found that their using frameworks aided their efforts to develop an understanding in senior leadership of the business consequences of insufficient cybersecurity,” the researchers stated.
When asked the biggest drivers of cybersecurity investment, perceived risk reduction was the most common response, followed by compliance. Only one respondent selected cost reduction as the top driver of cybersecurity investment.
Respondents also were asked how they identify risks and their prioritization approaches and the top two responses were best practices and frameworks, specifically NIST or other formal IT-to-business risk mapping process. Other to responses included “past attacks on your firm” and “past attacks on other firms,” as well as quantitative measures, although most respondents who selected quantitative measures ranked it as only the third most important factor.
The survey results also found that true quantitative metrics to guide investment decisions has been very rare and only a few subjects mentioned using a numeric return-on-investment metric as a way of prioritizing investments.
“While we have not seen widespread use of ROI calculations in deciding how to invest in security, many CISOs do think about risk in qualitative terms in a way that guides investment decisions. They are acutely aware of the many security risks reported by the media and in trade reports, and they take individual decisions about which threats are most significant to their firm,” the researchers wrote. “Regardless of which threats are the top priority, the CISOs focus their efforts and budgets on selecting the best countermeasures to mitigate the top risks. That the calculus lacks the precision used by traditional ROI calculations could actually be interpreted as a sign of growing sophistication: The old ROI calculations required fudging numbers in a way that might placate management but did not actually help guide the CISO's decision-making process.”
According to the researchers, one of the more promising findings of the survey is the level of information sharing regarding cybersecurity. The respondents indicated that they received threat intelligence from third-party threat intelligence providers and discussed cybersecurity approaches, applications and devices with colleagues.
The researchers also identified a number of CISO “mavericks” who stood out as exceptional in their approach to cyber risk management. For example, the CISO of one firm established a cybersecurity framework by the attack vectors the firm and industry were seeing.
“The CISO explicitly wanted to shift the risk organization culture from a compliance and governance centric focus to much greater primary focus on deep defensive tooling and skills with deployment consulting,” the researchers wrote.