It’s become a cliché in the industry to say that cybersecurity has become a board room-level issue but what evidence do we have to support this claim? Well, here are a few tidbits from some recent ESG research that certainly lend credibility to the business-driven cybersecurity thesis (note: I am an ESG employee):
- When asked to identify business initiatives that are driving IT spending, 43% of respondents said, “increasing cybersecurity.” This was the top business initiative selected followed by “reducing costs” (38%), “improving data analytics for real-time business intelligence” (32%), and “ensuring regulatory compliance” (27%).
- On a similar vein, survey respondents were asked to identify the most important IT “meta-trend” to their organization. Forty-two percent of respondents selected, “increasing cybersecurity.” The next most popular response, “using data analytics for real-time business intelligence,” came in at 17%.
- 69% of organizations are increasing their spending on cybersecurity in 2016. These budget increases are being approved by business managers who are now willing to spend more money to improve cybersecurity at their organizations.
As if the ESG data wasn’t enough, we also know that cyber-insurance policies grew by about 35% last year. So aside from increasing cybersecurity budgets, business executives are hedging their bets by transferring risk to third-parties.
I view all of this data as good and bad news. On the positive side, we’ve entered a period where business managers realize that they need good security – not just “good enough” security. So what’s the bad news? CISOs must expect to be reviewed more thoroughly based upon business metrics like ROI, cost containment, and continuous improvement. This is relatively unfamiliar territory for many cybersecurity professionals who grew up managing firewalls and mastering the CISSP Common Body of Knowledge (CBK).
Over the next few years, business managers need to develop greater cybersecurity affinity while CISOs must learn to mitigate risk and detect/respond to incidents in an operationally efficient and measurable manner. These challenges will determine cybersecurity success or failure across the organization moving forward.