Businesses are Prioritising Cybersecurity Above All Else,

Optiv Security Report Finds

-- 64 percent say IT teams are instructed to focus solely on cybersecurity programmes, even if it slows user productivity --

September 23, 2019, Denver and London – With the rise of the data breach epidemic, and the imposition of comprehensive privacy regulations and significant legislation requirements, cybersecurity has become a tier-one business risk. As a result, the chief information security officer’s (CISO) role in a business has dramatically increased in value. In fact, 64 percent of businesses now prioritise cybersecurity above all else, even if it slows some users’ productivity down, according to a new research report from Optiv Security. The report, “The State of the CISO,” takes an in-depth look at the approach to cybersecurity taken by CISOs, CSOs and senior IT decision makers, the strategies they have in place and their experience of data breaches.

Cybersecurity becomes a business priority

The research found that the importance of cybersecurity is now better understood by business executives and board members. In fact, 96 percent of respondents indicated they are taking a more strategic approach to cybersecurity as a result of being greater aligned with business leaders.

“Some organizations are further along this evolutionary curve than others, but without business’ buy-in to a cybersecurity program, CISOs will undoubtedly struggle to keep their organizations safe from looming cyber threats,” said Andrzej Kawalec, Optiv’s director of strategy and technology, Europe. “We are seeing a significant shift in the industry, whereby cybersecurity is now a business issue. CISOs are being regarded as an important part of major business initiatives such as next-generation digital transformation, which has led to more funding for cyber programs. The board now understands that a major security or compliance miscue can derail a business.”

When it comes to the approach to cybersecurity, the research found that 66 percent of IT security decision makers felt greater awareness of security risks within the IT function has had a significant impact on currently existing cybersecurity policies. Compliance with external standards such as GDPR follows closely behind at 56 percent, but basic functions like vulnerability and patching is only prioritised by 32 percent of respondents. Employee education was deemed a top priority by 58 percent of respondents, as was simplifying infrastructure (54 percent) and aligning security with development operations to create a DevSecOps model (47 percent).

“It is concerning in light of the fact that, by some estimates, unpatched vulnerabilities account for more than half of all data breaches,” continued Kawalec. “By getting the basic functions of cybersecurity right, IT decision makers can drastically improve their chances of defending against a cyber-attack, since unpatched software is often cited as the most common cause of data breaches.”

The greatest security threats

The research also identified that 31 percent of respondents believe that organized crime and politically motivated acts are seen as the greatest threats to cybersecurity, while 28 percent believe this to be hacktivists. Insider threats are seen as critical by 26 percent and just 15 percent of respondents cited third parties as a threat to their cybersecurity. To deal with cybersecurity threats, 92 percent of respondents have an incident response plan in place, but rehearsing this plan is lagging, with 44 percent of businesses stating they only rehearse once a year or less.

The report finds that breaches still seem to serve as a wake-up call for organizations, with 39 percent of businesses implementing changes in their security program only after an incident. While 65 percent cited that recovery from the breach was well coordinated and successful, over a third (35 percent) reported that recovery costs were still higher than it would have cost to invest in better breach defence.

To read the full report, please visit Optiv’s website.

Methodology

Optiv launched an independent research series to discover how IT decision makers approach cybersecurity. To produce its research and resulting report, Optiv worked with London-based research agency, Loudhouse. Loudhouse is an independent agency that specializes in technology and B2B research for global brands.

Loudhouse conducted online interviews with 100 US- and 100 UK-based CISOs, CSOs and Senior IT decision makers at enterprise businesses (between 500 and 5000+ employees), to understand their approach to cybersecurity, the strategies they have in place, and their experience of data breaches.