Enterprise defenses lag despite rising cybersecurity awareness

Increased executive involvement and higher spending not enough, says study

Organizations are showing more interest in cybersecurity through executive involvement and higher spending. Nevertheless, the added attention is new and more resources need to be directed at defending against cyberattacks, a study shows.

[A real world approach to risk based security planning]

Last year, no information security professionals said they reported to senior executives. Today, 35 percent report quarterly on the state of information security to the company board and the chief executive and about 10 percent report monthly, according to this year's Global Information Security Survey from consultancy Ernst & Young.

While the upper echelon is paying more attention, they are still not spending enough to defend against cyberattackers, who are increasingly more sophisticated, according to the survey of senior executives in more than 1,900 companies and government organizations.

Half of the respondents planned to increase their cybersecurity budget by 5 percent or more over the next 12 months, yet 65 percent cited insufficient funds as their number one challenge to operating at a security level expected by their companies. For businesses with revenues of $10 million or less, the number dissatisfied with funding rose to 71 percent.

A larger percentage of budgets need to be directed at security innovation and emerging technologies within the enterprise, such as the use of mobile devices and social media, the survey found. Over the next 12 months, 14 percent of security budgets are being allocated to new technologies, yet respondents said they were unsure whether they were ready to handle the risks posed by corporate use of social media.

"Organizations need to be more forward-looking," Ken Allan, EY global information security leader, said in a statement.

Data protection is being taken much more seriously within organizations. Rather than being treated as a line item in a contract or something left to third parties, as seen in previous surveys, three quarters of respondents were mandating self-assessments or commissioning independent external assessments.

As the attention given to cybersecurity grows, so does the need for skilled professionals. Unfortunately, the available pool of talent is insufficient. Half of the respondents cited a lack of skilled workers as a barrier to meeting all security priorities.

[The CFO's critical role in promoting cybersecurity]

The scarcity of talent is not being properly addressed by an increasing number of executives, the survey found. The percentage of respondents citing a lack of executive awareness or support rose to 31 percent this year, from 20 percent in 2012.

"A lack of skilled talent is a global issue," Allan said. "It is particularly acute in Europe, where governments and companies are fiercely competing to recruit the brightest talent to their teams from a very small pool."

To become more efficient in cybersecurity, EY is recommending that businesses take time to understand the attackers targeting them and then decide on the defense strategies and technology.

"Look for the trophies that they (attackers) would be interested in and organize your defenses around that," Chip Tsantes, a principal in EY's cybersecurity practice, told CSOonline Friday.

Tsantes finds that the digital assets being targeted within an organization often do not correlate with where organizations are spending their money.

Gathering and sharing intelligence on cyberattackers threatening data, networks and business processes is an emerging information security discipline.

A recent survey of security decision-makers found that three quarters of them rated establishing or improving threat intelligence as a top priority for their organizations, according to Forrester Research.

[5 security bolstering strategies that won't break the bank]

In addition, a recent Ponemon Institute report found that enterprises could reduce annual costs associated with cyber-attacks by 40 percent, if they had intelligence they could use to bolster defenses.

The need for improve cybersecurity is well established. Forrester Research found that 45 percent of respondents had experienced a breach at least once in the last 12 months.

EY found that 31 percent of the participants in its survey had seen at least a 5 percent increase in the number of security incidents in their organizations in the same timeframe.

Join the CSO newsletter!

Error: Please check your email address.

Tags Ernst & Youngsecurity

More about Forrester Research

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place