A relatively short time ago, the cybersecurity investment tendencies of organizations were primarily based on industry best practices. In a very short time, this and much of the cybersecurity landscape has changed drastically, according to the authors of a new survey.
"Cyber risk is now a board-level concern," the authors wrote. "And everyone is sensitive to cybersecurity."
The survey, conducted by researchers from Southern Methodist University in Dallas, comprises 40 interviews with healthcare, financial, retail and government CIOs and CISOs. Here are six takeaways from the survey.
• Broadly, respondents said senior-level management and company boards are supportive or very supportive of cybersecurity efforts. Of respondents, 81 percent reported upper-level management was supportive, 85 percent said support has been increasing and no one said support is decreasing.
• Many attribute this high level of support and increasing support to the recent data breaches that have been heavily covered in the news.
• Generally, cybersecurity budgets have been growing; 88 percent of respondents report theirs have increased.
• "Perceived risk reduction" was the single most significant driving factor for cybersecurity investment. This was followed by "compliance" concerns. The researchers note "cost reduction" was only selected as a top driver by one respondent.
• When asked how their organizations identify and prioritize the most important cybersecurity threats, there was significant variation among respondents' answers. Respondents said the number one approach used for prioritizing threats was the frameworks provided by "NIST or other formal IT-to-business risk mapping process." This was followed by industry best practices and concerns about prior attacks on the respondents' respective organizations.
• When asked directly whether they felt they had enough information to manage risk and prioritize threats, only 45 percent of CISOs responded with an unqualified "yes." Those who responded "no" typically did so because they believed there were security "blindspots" they were unaware of.