Tactical vs Strategic: CISOs and Boards Narrow Communication Gap
91% of Survey Respondents Say Their Boards Have Increased Cybersecurity Investment in Response to COVID-19 Pandemic
A global survey of almost 1000 CISO/Senior IT decision makers shows positive signs of Boards’ willingness to invest in cybersecurity — with perhaps one major rider.
The purpose of the survey, commissioned by Thycotic, was to examine the primary drivers in cybersecurity spend decision-making. The resulting survey report shows that 91% of the respondents say their Board has increased cybersecurity investment in response to the COVID-19 pandemic, and around 60% believe they will receive more security budget next year because of COVID-19. This is a welcome sign that Boards are taking cybersecurity seriously.
More than three-quarters of the respondents report they have received investment for new projects either in response to a security incident, or through fear of compliance audit failures. This is the rider in the Boards’ willingness to invest — all three of these investment triggers (COVID, incident response and compliance) are reactive; that is, they are tactical responses rather than strategic plans.
For security teams to adequately defend their systems, they need to get ahead of the adversaries. That requires strategic thinking and planning rather than tactical reaction — which seems to be less acceptable to boardrooms. Indeed, 37% of the respondents have had proposed investments turned down because the threat was perceived as low risk or because the technology had a lack of demonstrable ROI.
The extent to which this is a failure of CISOs to explain threats in business language, or a simple reluctance of the Board to be proactive rather than reactive, is impossible to determine from the survey.
“The fact Boards mainly approve investments after a security incident or through fear of regulatory penalties for non-compliance,” comments Terence Jackson, CISO for the privilege management firm Thycotic, “shows that cybersecurity investment decisions are more about insurance than about any desire to lead the field which, in the long run, limits the industry’s ability to keep pace with the cybercriminals.”
A reactive approach to cybersecurity can have two further negative effects. Firstly, it can lead to excessive ‘shelfware’, where a point product is purchased but never fully utilized; and secondly it can lead to the purchase of inadequate solutions. For the former, half of the organizations taking part in the survey admit that new technology solutions they purchase are never fully utilized, and become shelfware. For the latter, reaction to an issue can lead to a failure to think through the problem. Joseph Carson, chief security scientist and advisory CISO at Thycotic, gives the following example. “Companies can react to the weak password issue by buying password managers,” he told SecurityWeek, “without realizing that what they actually need is an integrated system that can rotate passwords and manage privileges.” When they realize they need a full privilege management system, the password managers become redundant.
Carson nevertheless finds a lot of positivity in the survey results. “One area that I think is key,” he said, “is that the communication between the CISO and the executive Board is getting better. In previous research we found that there was a language barrier between the CISO and the Board — the CISO would think very much about fear and doubt and threats and risk and tend to stress that fear factor. However, this report now shows that CISOs are both being listened to, but also getting the follow through budget. In the past, CISOs and the Board weren’t speaking the same language. This report shows that the communication gap between the CISO and the Board is closing.”
Despite the increased budget to COVID being a reactive decision, Carson nevertheless believes it is a positive response from the Board. “That 91% of respondents say the Board is now adequately supporting the team with the follow-up investments is significant. But there is some bad news that goes with that as well — that with that investment, 50% of the purchased security solutions are not being fully utilized.” He recognizes the reactive nature of security decision-making in much of the world, but sees an interesting cultural difference in Asia. “The factors are a little different in Asia,” he told SecurityWeek, “where they are focusing more on the return on investment. There’s this interesting cultural difference in places like Australia, Singapore and Malaysia where purchasing decision focuses more on ROI.”
The survey also shows that product choice is often geared to benchmarking against what peer companies are doing. This is particularly prevalent in the UK and Europe. In the U.S. and Australia, choice is very much dominated by industry analysts and expertise, where they tend to look at the analysts such as Gartner and Forrester for direction. “Another surprise for me,” he continued, “is that I would have thought the security team would have a strong say in the final decision-making process for new solutions, but in fact in most places it is the operations teams that have a bigger say in what the final solution will be. I think this is because the security teams can look at the problem from a threat and risk perspective, but ultimately the operations teams have to implement, deploy, maintain and upgrade it.”
In the final analysis, the difficulty with all surveys is that the statistics returned are objective facts; but the interpretation of those statistics is subjective. Joseph Carson is fairly upbeat and positive about how the Boards are beginning to take cybersecurity seriously and fund what is necessary. However, it is equally possible to point to the examples given in the survey and suggest that the Boards are merely reacting to what is visibly happening today. There is little in the survey to suggest that boardrooms are ready to support their security teams with longer term strategic rather than tactical approaches to cybersecurity — and it is the strategic approach that is necessary to thwart the adversaries.