Can CISOs ever convince top management to treat cybersecurity as an asset rather than as a cost? Read on for clues

What are the key concerns, barriers, potential pitfalls and technology decision making concerns facing cybersecurity teams in the post-COVID landscape?

In the wake of the ongoing pandemic, organizations that have the resources to increase cybersecurity spending on cybersecurity are increasing digitalization but are facing too many competing solutions.

Most companies polled for a mini global survey considered themselves up-to-date when it came to adopting new technologies. Their decisions on technology purchases were based primarily on benchmarking and analyst reports, with Proof of Concept (PoC) as the preferred method of evaluation.

In making a purchase decision, they looked at minimizing risk, Total Cost of Ownership (TCO), integration, and the reputation of the provider. IT operations and security teams had nearly equal say in the final selection. Finally, management boards have appeared to support increased cybersecurity investments, especially those motivated by internal security incidents and compliance audit failures.

However, barriers to securing cybersecurity investments remained, including technology purchases outside the scope of compliance needs, low perceived threat, and lack of return on investment.

What the figures mean for Asia/Oceania

How do leaders in Asia/Oceania make real-world decisions about where and when to allocate finite resources in a way that best serves the interest of their organization, both now and in the future?

Are decisions made on facts or fear? What kind of evaluation criteria are needed from vendors to help them make the most informed decisions? To get answers to these questions, privileged access management firm Thycotic commissioned an independent a survey in August 2020 that gathered responses from more than 900 Senior IT security decision-makers working within organizations of 500+ employees in the following countries: Australia (Aus), New Zealand (NZ), Singapore (SG), Malaysia (My)… followed by the western group of USA, UK, Germany, France, and Spain.

The report polled more than 900 global CISOs/Senior IT decision-makers, including 100 each in Singapore and Malaysia, 102 in Australia and 102 in New Zealand. The research shows boardroom investments in cybersecurity are most commonly the result of an incident or fears of compliance audit failure. Because of this, the research shows 66% of Aus respondents, 58% in NZ, and 59% for SG/My said their organizations planned to add more towards security budgets in the next 12 months.

There are positive signs that boards are stepping up with investment. Almost 88% of Aus respondents, (81% in NZ, and 94% in SG/My) had received boardroom investment for new security projects, either in response to a cyber incident at 59% of organizations or through fear of audit failure at 29%.

With financial penalties for breaches of the general data protection regulations now totaling 175m Euros, 18% of Aus respondents, 17% in NZ, 19% in SG/My believed that compliance or threats of fines were the most effective way to persuade boards to invest in cybersecurity.

Pandemic-driven investments

Amid growing cyberthreats and rising risks through the ongoing pandemic, CISOs reported that their management boards were listening and stepping up with increased budgets for cybersecurity, with 94% in Aus, 84% in NZ, and 95% in SG/My agreeing that their management board was adequately supporting them with investment. Two-thirds of Aus respondents, three-fifths of respondents in NZ, SG and My believed that in the next financial year they will have more security budget because of COVID-19.

Not so good was the fact that over 41% of Aus, 36% of NZ and 58% of SG/My respondents’ proposed investments had been turned down because the requests lacked demonstrable ROI. In Aus, 39% (30% in NZ and 38% in SG/My) had been turned down because the threat was perceived as low risk.

Additionally, 38% Aus, 32% of NZ and 31% of SG/My respondents believed senior management did not comprehend the scale of threats when making cybersecurity investment decisions.

Think strategically, invest tactically?

CISOs’ own approaches to buying decisions were forward looking as they tried to keep up with industry developments and their sector peers. A large majority—74% in Aus, 84% in NZ and 72% in SG/My—said they wanted to try out innovative new tools. However, in practice, most were guided by their industry peers, with almost 40% Aus/NZ and 59% in SG/My benchmarking their buying decisions against other companies in their sector. This may have led CISOs to err on the side of proven, known technology rather than trying something new.

Finally, 43% of respondents in Aus, 54% in NZ and 41% in SG/My viewed their organization as up-to-date in tech acquisitions, while 32% in Aus, 28% in NZ and 34% in SG/My considered their organizations to be ‘pioneers’, embracing new technology advancements.

Only 21% in Aus, 14% in NZ and 23% in SG/My thought their business had its finger on the pulse, prioritizing investments according to the latest security threat.

Security investments as an asset

The report, as far as this region is concerned, may hint that management boards are definitely listening and stepping up with increased budgets for cybersecurity, but they tend to view any investment as a cost rather than adding business value, said Terence Jackson, Thycotic’s CISO.

“There are some encouraging signs, particularly in APAC where ROI is a leading factor in security investment decisions. However, there is still some way to go. The fact that boards mainly approve investments after a security incident, or through fear of regulatory penalties for non-compliance, shows that cybersecurity investment decisions are more about insurance than about any desire to lead the field which, in the long run, limits the industry’s ability to keep pace with the cybercriminals,” Jackson noted.

Thycotic’s CEO James Legg commented that the study clearly shows that before CISOs can pursue technology innovation they must first educate their stakeholders about the value of cybersecurity. Securing boardroom investment requires them to strike a delicate balance between innovation and compliance.”

Notwithstanding the scale of the study and the disparate geopolitical and local climates peculiar to their own countries, readers can benefit from the following opinions and studies: