Why cybersecurity spending will drive business digitization

As companies shift to digital technologies, they are investing more money in tools to protect their corporate networks and inviting CISOs to help plan and implement enterprise architecture.

The days of CEOs regarding data protection technologies and staff as a budget drain and operating tax that stifles innovation are over. Galvanized by high-profile breaches, companies are shelling out more money to shore up corporate defenses. CEOs also recognize that security is table stakes for building digital products and are entrusting their CISOs with more responsibilities.

[ Related: Security challenge: Wearing multiple hats in IT ]

Fifty-nine percent of 10,000 C-Suite executives polled by PwC for the new Global State of Information Security Survey said they are investing more in cybersecurity, including data analytics, real-time monitoring, authentication tools that include biometrics and managed security services (MSS). David Burg, PwC’s U.S. and global leader of cybersecurity and privacy, says anecdotal evidence also suggests that companies are turning to CISOs to build security into software, including anything from mobile applications to connected cars that exchange information with smartphones.

CEOS leaning more on CISOs

"What's becoming clear is that senior execs -- CEOs, marketing chiefs and others who worry about digital -- are turning to CISOs and saying, OK how do I solve this? It's not can I do it. The decision to do it has already been made. How do I do this in a way that is secure and safe and minds privacy regulations," Burg tells CIO.com. "It's an important pivot. To remain competitive, organizations today must make a budgetary commitment to the integration of cybersecurity with digitization from the outset."

pwc cyber 16 1

(Click for larger image.)

This new mindset has come at great cost to some of the U.S.'s largest brands. Breach post mortems of Target, Home Depot and dozens of other companies revealed that they had underinvested in IT security, ranging from failure to implement proper tools and best practices to lacking CISOs and other key staff. In many cases, the cost of a breach outweighs the cost of protecting corporate assets. But as companies increasingly create digital services, they are both creating more vulnerabilities and storing more consumer data hackers may exploit. The new thinking goes: You can't compete in digital if you can't protect both corporate and customer information.

Traditionally, CIOs have built and implemented IT systems and then asked their CISOs to layer on security tools, including anything from antivirus software to firewalls. CISOs essentially look at a mosaic of technology, see a hole and buy a security product to fill it, says Burg, who has worked on several such implementations in his career. "The CISO has got to figure out how to protect enormous complexity," Burg says. But if there is one thing the swath of breaches shows is that the build-first-protect-later approach is broken.

pwc cyber 3

(Click for larger image.)

And CEOs are understanding this more and more. Burg notes that Elwin Wong, CISO of Ross Stores, was also given the role of enterprise architect. Another CISO, whom Burg declined to name, is deeply involved in his organization's shift to agile development and DevOps. These software development models, which favor rapid building, testing and deployment over rigorous documentation and processes, have become the preferred approaches to building digital services, allowing companies to quickly release minimally viable products and tweak them, based on consumer feedback. "Businesses are turning over and saying we have to be good at technology and innovation so we need the cyber guys and gals up front," Burg says.

Cloud, MSS adoption supports digital shift

It's difficult to quantify the number of CISOs who have been endowed with greater responsibilities but Burg says the proliferation of cloud technologies and managed security service providers (MSSPs) underscore his thesis. Some 63 percent of respondents said they were consuming cloud technologiesand benefitting from lower costs, ease of use and the ability to shunt maintenance chores to someone else. Burg also says that cloud software developed and battled tested by hundreds of engineers, which is typical at large vendors, is safer and easier to deploy then many on-premises technologies.

[ Related: Navigating the muddy waters of enterprise infosec ]

For similar reasons, 62 percent of companies said they were paying MSSPs for highly technical initiatives such as authentication, data loss prevention and identity management, signaling that businesses are making cybersecurity a priority despite lacking talent to fill key positions.

Upticks in cloud and managed security service adoptions pose an interesting implication. Companies that offload IT to the cloud and cybersecurity operations to MSSPs are ideally freer to focus on products that support their core business competencies. And that allows the entire C-Suite -- CEOS, CIOs, CISOs and CMOs -- to focus on their new digital imperatives. "This signals a very significant shift in business," Burg says.

Join the CSO newsletter!

Error: Please check your email address.

More about ClickHome DepotRoss Stores

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place