researchHQ Key Takeaways:
- The tools most commonly used by security professionals to garner investment in cybersecurity include fear of financial repercussions in worst-case scenarios, return-on-investment (ROI) analysis and risk frameworks.
- Although fear of audit failure of a security incident may help sway the board, cyber investment decisions are usually based on industry benchmarking and analysis.
- COVID-19 has accelerated cybersecurity fears, incentivizing boards to increase cybersecurity budgets.
- The need for cybersecurity investments is best relayed to the board through fact-based ROI analyses rather than costs related to security incidents and audit.
The recent Thycotic CISO Decisions survey – based on findings from more than 900 global chief information security officers and senior IT decision-makers – found that boardroom investments in cybersecurity were most commonly made as the result of a security incident or fears of compliance failure.
Almost four in five (77%) organizations surveyed received boardroom approval for new security projects either in response to a cyber incident, at around three in five (59%) organizations, or through fear of an audit failure, at around three in ten (29%) organizations.
It would be easy to interpret these results to mean organizations are taking a reactive approach to cybersecurity – approving new investments in short timeframes in response to rapidly moving events. That would be a bad thing. To be effective, cyber security must not only react to past attacks and current compliance mandates but anticipate future threats and requirements. And that requires proactive security measures to be taken.
To see these boardroom cybersecurity investments as reactive, however, ignores the complexities of organizational decision making and the interplay of different stakeholder groups. These complexities were examined in some detail in our survey, and the results were quite surprising, including noticeable differences in approaches in different parts of the world.
While CISOs and IT decision makers may well rely on urgent factors to gain board approval for their cybersecurity investment decisions, this doesn’t tell the entire story. The reasons that boards approve investments are quite different to the decision-making process undertaken by CISOs and IT decision makers themselves. These involve a considerable degree of planning and analysis in all of the countries surveyed.
Fear of compliance fines
The fear of compliance fines is certainly a significant factor in convincing executive boards to invest in cyber security. EU GDPR, for example, has seen several companies receive fines running to millions of Euros resulting from a data breach. Globally 23% of CISOs and IT decision makers surveyed use this fear factor as an effective motivator to help convince their boards to invest in cybersecurity. Another 20% use best practices and standards to persuade boards, with 20% focusing more on return on investment (ROI) by showing how cyber security can contribute to business value.
If we look at decision makers in Australia and Singapore/Malaysia, they are much more likely to prioritize ROI analysis – chosen by 28% and 27% of respondents respectively – as the most effective strategy in persuading boards to invest. The second most effective strategy in these APAC countries – cited by 20% of respondents in Australia and 26% in Singapore/Malaysia – was the use of a risk framework such as NIST. So, it seems, rather than using fear to put pressure on boards to approve their cybersecurity recommendations, they often prefer to rely on facts.