Thycotic has released its CISO Decisions survey, an independent global study that examines what most influences the board to invest in cybersecurity and the impact this has on CISO decision making.
Based on findings from more than 900 global CISOs/senior IT decision-makers, the research shows boardroom investments in cybersecurity are most commonly the result of an incident or fears of compliance audit failure. Because of this, 58 percent of respondents say their organizations plan to add more towards security budgets in the next 12 months.
There are positive signs that boards are stepping up with investment. More than three quarters (77 percent) of respondents have received boardroom investment for new security projects either in response to a cyber incident in their organization (49 percent) or through fear of audit failure (28 percent). Almost a quarter of respondents (23 percent) believe that compliance or threats of fines are the most effective way to persuade boards to invest in cybersecurity.
COVID-19 Drives More Security Investment
Amid growing cyber threats and rising risks through the COVID-19 crisis, CISOs report that boards are listening and stepping up with increased budgets for cybersecurity, with the overwhelming majority, 91 percent agreeing that the board adequately supports them with investment. Almost three-in-five believe that in the next financial year they will have more security budget because of COVID-19.
CISO Challenges Still Exist
However, CISOs have their work cut out to gain the Board’s support. Almost two fifths (37 percent) of participants’ proposed investments were turned down because the threat was perceived as low risk or because the technology had a lack of demonstrable ROI. One third (33 percent) believe senior management does not comprehend the scale of threats when making cybersecurity investment decisions.
CISOs Think Strategically But Invest Tactically
CISOs’ own approaches to buying decisions are forward looking as they try to keep up with industry developments and their sector peers. An overwhelming majority (75 percent) say they want to try out innovative new tools. However, in practice, they are guided by their industry peers, with almost half (4 percent) benchmarking their buying decisions against other companies in their sector. This may lead CISOs to err on the side of proven known technology rather than trying something new.
This balance is discernible in the way decision-makers describe their organization’s risk profile. Almost half of respondents view their organization as “in the pack”(45 percent) and only a third consider their companies to be “pioneers” (36 percent), embracing new technology advancements. Only 17 percent think their business has its finger on the pulse, prioritizing investments according to the latest security threat.