New research from Kaspersky Lab has found that CISOs lack influence in the boardroom, making it difficult to justify the budgets they need to properly protect their organizations. The report, ‘What It Takes to Be a CISO: Success and Leadership in Corporate IT Security,’ is the result of an inaugural survey carried out by PAC on behalf of Kaspersky Lab that analyzes the status quo and future developments worldwide of the CISO’s role in organizations across the globe. To collect the research, 250 IT-decision-makers in both the manufacturing and services sectors were surveyed from May to July 2018.
The findings show that globally, CISOs believe financially motivated criminal gangs (40 percent) and malicious insider attacks (29 percent) are the biggest IT security risks to their businesses today – and these types of threats are extremely difficult to prevent. CISOs can face challenges with these because attacks are either launched by ‘professional’ cybercriminals, or because they are assisted by employees who are expected to be protecting the business.
In addition, the rise of cyberthreats combined with the digital transformation that many enterprises are currently undergoing is making the role of the CISO increasingly critical in modern business. The report shows that there is now more pressure on CISOs across the globe than ever, with 57 percent considering complex infrastructures involving cloud and mobility to be the top challenge, managing personal data and sensitive information the second biggest challenge at 54 percent, and worrying about the continuing increase in cyberattacks is third at 50 percent.
With pressure on the CISO increasing, budgets allocated to cybersecurity are reported to be growing across businesses worldwide. More than half (56 percent globally and 60 percent in North America) of CISOs are expecting their budgets to increase in the future, while 38 percent of respondents globally – and in North America – expect budgets to remain the same.
Nonetheless, CISOs are up against major budgetary challenges, because it is almost impossible for them to offer a clear return on investment (ROI), or 100 percent protection from cyberattacks. For example, more than a third (36 percent) of CISOs say they cannot secure their required IT security budgets because they cannot guarantee there will not be a breach.
When a business views security budgets as part of the overall IT spend, CISOs find themselves vying for budget against other departments. The second most likely reason for not getting budget is that security is sometimes part of the overall IT spend. In addition, a third of CISOs (33 percent) claim the budget they could receive is sometimes prioritized for digital, cloud or other IT projects - which may be able to demonstrate a clearer ROI.
Although ROI is difficult to prove, there’s no denying that cyberattacks can have drastic consequences for businesses, with more than a quarter of respondents’ identifying reputational (28 percent) and financial (25 percent) damage as the most critical consequences of a cyberattack. However, despite the negative impact of a cyberattack, only 26 percent of the IT security leaders surveyed are members of the board at their respective businesses. Of those who are not board members, one-in-four (25 percent) believe that they should be.
Overall, the majority of IT security leaders (58 percent) globally believe that they are adequately involved in business decision making. However, as digital transformation becomes key to the strategic direction of large enterprises, cybersecurity should be a top priority. For many organizations, the role of the CISO will need to develop to reflect these changes to give them the ability to influence important business decisions.
“Historically, cybersecurity budgets were perceived as a low priority IT spend, but this is no longer the case,” said Maxim Frolov, vice president of global sales at Kaspersky Lab. “Today, cybersecurity risks are top of the agenda for CEOs, CFOs and Risk Officers. In fact, a cybersecurity budget is not just a way to prevent breaches and the disastrous risks associated with them – it’s a way to protect business continuity, as well as a company’s core profile investments.”