SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Report reveals relationship between boardroom and cybersecurity investments
Tue, 13th Oct 2020
FYI, this story is more than a year old

Boardroom investments in cybersecurity are most commonly the result of an incident or fears of compliance audit failure. Because of this, two thirds (66%) of Australian organisations plan to add more towards security budgets in the next 12 months.

This is according to new research from Thycotic, titled CISO Decisions. The independent global study examines what most influences boards to invest in cybersecurity and the impact this has on CISO decision making.

According to the research, there are positive signs that boards are stepping up with investment. Almost nine in ten, or 88% of Australian respondents (77% globally) have received boardroom investment for new security projects, either in response to a cyber incident at 59% of organisations (49% globally) or through fear of audit failure at 29% (28% globally).

With financial penalties for GDPR now totalling EUR 175 million, 18% of Australian respondents (23% globally) believe that compliance or threats of fines are the most effective way to persuade boards to invest in cybersecurity.

Amid growing cyber threats and rising risks through the COVID-19 crisis, CISOs report that boards are listening and stepping up with increased budgets for cybersecurity, with the overwhelming majority in Australia, or 94% (91% globally) agreeing that the board adequately supports them with investment.

Two thirds of Australian respondents (versus 58% globally) believe that in the next financial year they will have more security budget because of COVID-19.

However, chief information security officers have their work cut out to gain the boards support, the report shows. Around two fifths, or 41% of Australian participants proposed investments (37% globally) were turned down because the threat was perceived as low risk.

Around two in five, or 39% (37% globally) were turned down because the projects had a lack of demonstrable ROI.

Furthermore, 38% of Australian respondents (33% globally) believe senior management does not comprehend the scale of threats when making cybersecurity investment decisions.

The resport finds that CISOs own approaches to buying decisions are forward looking as they try to keep up with industry developments and their sector peers.

A large majority, or 74% of Australian respondents (75% globally), say they want to try out innovative new tools. However, in practice, many are guided by their industry peers, with two in five, or 40% (46% globally) benchmarking their buying decisions against other companies in their sector.

When considering risk profiles, over two in five, or 43% of Australian respondents (45% globally) view their organisation as in the pack and only around a third, or 32% (36% globally) consider their organisations to be pioneers, embracing new technology advancements.

Only 21% (17% globally) think their business has its finger on the pulse, prioritising investments according to the latest security threat.

Thycotic CEO James Legg says, “Our study clearly shows that before CISOs can pursue technology innovation they must first educate their stakeholders about the value of cybersecurity.

"Securing boardroom investment requires them to strike a delicate balance between innovation and compliance.

Thycotic CISO Terence Jackson says, “While boards are definitely listening and stepping up with increased budget for cybersecurity, they tend to view any investment as a cost rather than adding business value.

"There are some encouraging signs, particularly in APAC where ROI is a leading factor in security investment decisions. “However, there is still some way to go."

He says, "The fact that boards mainly approve investments after a security incident, or through fear of regulatory penalties for non-compliance, shows that cybersecurity investment decisions are more about insurance than about any desire to lead the field which, in the long run, limits the industry's ability to keep pace with the cybercriminals.