IT security leaders in businesses across the globe are stuck with their hands behind their backs when it comes to fighting off cybercrime. They lack influence in the boardroom and find it hard to justify the budgets they need; inevitably making their businesses more vulnerable.
This is one of the findings of a new report from Kaspersky Lab, which has found that 86 percent of chief information security Officers (CISOs) now believe cybersecurity breaches to be inevitable, with financially motivated groups being their primary concern.
From cloud to malicious insiders: the attack surface is widening in modern business
The rise of cyber threats, combined with the digital transformation that many enterprises are currently undergoing, is making the role of the CISO increasingly important in modern business. The Kaspersky Lab report shows that there is now more pressure on CISOs than ever: 57 percent consider complex infrastructures involving cloud and mobility to be a top challenge, and 50 percent are worried about the continuing increase in cyber attacks.
CISOs believe that financially motivated criminal gangs (40 percent) and malicious insider attacks (29 percent) are the biggest risks to their businesses, and these are the threats that are extremely difficult to prevent: either because they are launched by ‘professional’ cybercriminals or because they are assisted by employees who are expected to be on the right side.
Budget justification challenges are leaving CISOs to compete against other departments
The budgets allocated to cybersecurity are reported to be growing. Slightly over half (56 percent) of CISOs are expecting their budgets to increase in the future, and 38 percent of respondents expect budgets to remain the same.
Nonetheless, CISOs are up against major budgetary challenges, because it’s almost impossible for them to offer a clear return on investment (ROI), or 100 percent protection from cyber attacks.
For example, more than a third (36 percent) of CISOs say they cannot secure their required IT security budgets because they cannot guarantee there will not be a breach. And, when security budgets are viewed by a business as part of overall IT spend, CISOs find themselves vying for budget against other departments. The second most likely reason for not getting budget is that security is sometimes part of overall IT spend. In addition, a third of CISOs (33 percent) said the budget they could be allocated is prioritized for digital, cloud or other IT projects instead — which may be able to demonstrate a clearer ROI.
CISOs need a board-level audience as the digital transformation takes hold
Cyber attacks can have drastic consequences for businesses: more than a quarter of respondents to the Kaspersky Lab study identified reputational (28 percent) and financial (25 percent) damage as the most critical consequences of a cyber attack.
However, despite the negative impact of a cyber attack, only 26 percent of the IT security leaders surveyed are members of the board at their respective businesses. Of those who aren’t a board member, one-in-four (25 percent) believe that they should be.
The majority of IT security leaders (58 percent) believe that they are adequately involved in business decision-making at the moment. However, as digital transformation becomes key to the strategic direction of large enterprises, cybersecurity should too. The role of the CISO needs to develop to reflect these changes, giving them the ability to influence decisions.
“Historically, cybersecurity budgets were perceived as a low priority IT spend, but this is no longer the case. The attack surface of modern businesses is growing, and so too is the frequency and impact of cyberthreats and the cost of cyber incidents. The result is that more and more C-Level executives are now treating IT security as an investment,” says Maxim Frolov, vice president for Global Sales at Kaspersky Lab.
Today, cybersecurity risks are top of the agenda for CEOs, CFOs, and risk officers. In fact, a cybersecurity budget is not just a way to prevent breaches and the disastrous risks associated with them – it’s a way to protect business continuity, as well as a company’s core profile investments.”