The days of CEOs regarding data protection technologies and staff as a budget drain and operating tax that stifles innovation are over. Galvanized by high-profile breaches, companies are shelling out more money to shore up corporate defenses. CEOs also recognize that security is table stakes for building digital products and are entrusting their CISOs with more responsibilities.
[ Related: Security challenge: Wearing multiple hats in IT ]
Fifty-nine percent of 10,000 C-Suite executives polled by PwC for the new Global State of Information Security Survey said they are investing more in cybersecurity, including data analytics, real-time monitoring, authentication tools that include biometrics and managed security services (MSS). David Burg, PwC’s U.S. and global leader of cybersecurity and privacy, says anecdotal evidence also suggests that companies are turning to CISOs to build security into software, including anything from mobile applications to connected cars that exchange information with smartphones.
CEOS leaning more on CISOs
"What's becoming clear is that senior execs -- CEOs, marketing chiefs and others who worry about digital -- are turning to CISOs and saying, OK how do I solve this? It's not can I do it. The decision to do it has already been made. How do I do this in a way that is secure and safe and minds privacy regulations," Burg tells CIO.com. "It's an important pivot. To remain competitive, organizations today must make a budgetary commitment to the integration of cybersecurity with digitization from the outset."
This new mindset has come at great cost to some of the U.S.'s largest brands. Breach post mortems of Target, Home Depot and dozens of other companies revealed that they had underinvested in IT security, ranging from failure to implement proper tools and best practices to lacking CISOs and other key staff. In many cases, the cost of a breach outweighs the cost of protecting corporate assets. But as companies increasingly create digital services, they are both creating more vulnerabilities and storing more consumer data hackers may exploit. The new thinking goes: You can't compete in digital if you can't protect both corporate and customer information.
Traditionally, CIOs have built and implemented IT systems and then asked their CISOs to layer on security tools, including anything from antivirus software to firewalls. CISOs essentially look at a mosaic of technology, see a hole and buy a security product to fill it, says Burg, who has worked on several such implementations in his career. "The CISO has got to figure out how to protect enormous complexity," Burg says. But if there is one thing the swath of breaches shows is that the build-first-protect-later approach is broken.
And CEOs are understanding this more and more. Burg notes that Elwin Wong, CISO of Ross Stores, was also given the role of enterprise architect. Another CISO, whom Burg declined to name, is deeply involved in his organization's shift to agile development and DevOps. These software development models, which favor rapid building, testing and deployment over rigorous documentation and processes, have become the preferred approaches to building digital services, allowing companies to quickly release minimally viable products and tweak them, based on consumer feedback. "Businesses are turning over and saying we have to be good at technology and innovation so we need the cyber guys and gals up front," Burg says.
Cloud, MSS adoption supports digital shift
It's difficult to quantify the number of CISOs who have been endowed with greater responsibilities but Burg says the proliferation of cloud technologies and managed security service providers (MSSPs) underscore his thesis. Some 63 percent of respondents said they were consuming cloud technologiesand benefitting from lower costs, ease of use and the ability to shunt maintenance chores to someone else. Burg also says that cloud software developed and battled tested by hundreds of engineers, which is typical at large vendors, is safer and easier to deploy then many on-premises technologies.
[ Related: Navigating the muddy waters of enterprise infosec ]
For similar reasons, 62 percent of companies said they were paying MSSPs for highly technical initiatives such as authentication, data loss prevention and identity management, signaling that businesses are making cybersecurity a priority despite lacking talent to fill key positions.
Upticks in cloud and managed security service adoptions pose an interesting implication. Companies that offload IT to the cloud and cybersecurity operations to MSSPs are ideally freer to focus on products that support their core business competencies. And that allows the entire C-Suite -- CEOS, CIOs, CISOs and CMOs -- to focus on their new digital imperatives. "This signals a very significant shift in business," Burg says.