Organizations are showing more interest in cybersecurity through executive involvement and higher spending. Nevertheless, the added attention is new and more resources need to be directed at defending against cyberattacks, a study shows.
Last year, no information security professionals said they reported to senior executives. Today, 35 percent report quarterly on the state of information security to the company board and the chief executive and about 10 percent report monthly, according to this year's Global Information Security Survey from consultancy Ernst & Young.
While the upper echelon is paying more attention, they are still not spending enough to defend against cyberattackers, who are increasingly more sophisticated, according to the survey of senior executives in more than 1,900 companies and government organizations.
Half of the respondents planned to increase their cybersecurity budget by 5 percent or more over the next 12 months, yet 65 percent cited insufficient funds as their number one challenge to operating at a security level expected by their companies. For businesses with revenues of $10 million or less, the number dissatisfied with funding rose to 71 percent.
A larger percentage of budgets need to be directed at security innovation and emerging technologies within the enterprise, such as the use of mobile devices and social media, the survey found. Over the next 12 months, 14 percent of security budgets are being allocated to new technologies, yet respondents said they were unsure whether they were ready to handle the risks posed by corporate use of social media.
"Organizations need to be more forward-looking," Ken Allan, EY global information security leader, said in a statement.
Data protection is being taken much more seriously within organizations. Rather than being treated as a line item in a contract or something left to third parties, as seen in previous surveys, three quarters of respondents were mandating self-assessments or commissioning independent external assessments.
As the attention given to cybersecurity grows, so does the need for skilled professionals. Unfortunately, the available pool of talent is insufficient. Half of the respondents cited a lack of skilled workers as a barrier to meeting all security priorities.
The scarcity of talent is not being properly addressed by an increasing number of executives, the survey found. The percentage of respondents citing a lack of executive awareness or support rose to 31 percent this year, from 20 percent in 2012.
"A lack of skilled talent is a global issue," Allan said. "It is particularly acute in Europe, where governments and companies are fiercely competing to recruit the brightest talent to their teams from a very small pool."
To become more efficient in cybersecurity, EY is recommending that businesses take time to understand the attackers targeting them and then decide on the defense strategies and technology.
"Look for the trophies that they (attackers) would be interested in and organize your defenses around that," Chip Tsantes, a principal in EY's cybersecurity practice, told CSOonline Friday.
Tsantes finds that the digital assets being targeted within an organization often do not correlate with where organizations are spending their money.
Gathering and sharing intelligence on cyberattackers threatening data, networks and business processes is an emerging information security discipline.
A recent survey of security decision-makers found that three quarters of them rated establishing or improving threat intelligence as a top priority for their organizations, according to Forrester Research.
In addition, a recent Ponemon Institute report found that enterprises could reduce annual costs associated with cyber-attacks by 40 percent, if they had intelligence they could use to bolster defenses.
The need for improve cybersecurity is well established. Forrester Research found that 45 percent of respondents had experienced a breach at least once in the last 12 months.
EY found that 31 percent of the participants in its survey had seen at least a 5 percent increase in the number of security incidents in their organizations in the same timeframe.