While security budgets are increasing, UK CSOs are realising that many of today’s threats prey on humans through the likes of phishing attacks, and so investing in technology alone isn’t enough; money also needs to be put into automation to reduce human involvement, and better education and awareness must also become key targets.
To coincide with the launch of CSO UK, IDG conducted a survey of 200 IT leaders from major UK enterprises to explore the state of cybersecurity within British organisations including key threats, main investment areas and what is driving the security agenda within the business. The full results are published in our new report, .
Security budgets are increasing, still in the CIO’s control
While the CSO, CISO, or equivalent may be tasked with defending their organisations against threats, they rarely control the purse strings when it comes to investing in defenses. Nearly half (48 percent) of organisations say it is the CIO that controls the cybersecurity budget. The remaining organisations were equally likely to have the CFO, CSO/CISO, or CTO in control of the security function’s finances.
Security is increasingly high profile both in the news and in the boardroom, while at the same time the threat landscape is becoming ever-more challenging. As a result, security budgets are increasing: 66 percent of organisations surveyed said their budgets had risen in the last year. A quarter of organisations reported that the increase over the previous 12 months had been ‘significant’. Around a third (28 percent) saw no change in budget, while five percent reported a decrease.
While security budgets are up, for most companies the function still only represents a small portion of the overall technology pie. Approximately 28 percent of businesses surveyed spend less than five percent of the IT budget on cybersecurity-related technology and activities. Just under a third said they dedicated 6-10 percent of their IT budget to cybersecurity, while 36 percent revealed they designated 11-20 percent of their IT pot to security. Only a fraction (3.5 percent) of companies dedicate more than a fifth of their overall IT budget towards the security function. While a higher security-to-IT ratio may indicate how seriously a company takes its cyber risk, budgets are relative and unique to each organisation, and do not necessarily reflect effectivity.
Automation, cloud, and human security big investment drivers
A previous article looking at this study highlighted how most companies still see humans as the weak link in the cybersecurity chain, and this is reflected in the fact the threats UK enterprises fear the most all involve humans. Phishing/social engineering was listed as the main threat that organisations were worried about. Ransomware, insider threats, and business email compromise (BEC) attacks – all of which typically involve human error, such as clicking on something they shouldn’t – were also listed as major concerns for around half of companies. Awareness training and automation were listed as two ways enterprises were looking to help reduce human error within the business.
On the technology side, over 40 percent of organisations agreed with the statement that ‘cybersecurity concerns have stopped my company from moving specific IT applications into the public cloud’, so it should be little surprise that ‘cloud security’ was listed as the main area of cybersecurity technology enterprises are looking to invest in.
Endpoint protection, threat intelligence, multifactor authentication, encryption, and firewalls were all listed as the main areas of investment for UK enterprises this year. Ninety percent of organisations claim that artificial intelligence/machine learning will be important in the future to combat security threats, and was also in the top 10 areas of investment for companies in the coming year.
Breaches are inevitable, so keeping incident costs low is the priority
Measuring the value of security investments can be notoriously challenging. How can CSOs measure the savings a business saw because an attack never happened? And how do you justify a previous investment if it prevented the vast majority of attacks but still let one through?
At the same time, the cost of failure is increasing ever higher. IBM & Ponemon’s latest cost of a data breach study estimates breaches cost UK enterprises an average of $3.88 million each time. And with most organisations in the study agreeing with the idea that ‘breaches are inevitable’ it makes sense that damage reduction is a more important metric to measure than prevention. ‘Reduced cost per incident’ was the key metric companies said they use to measure the business value of security investments.
With high-profile incidents affecting enormous enterprises such as BA and Marriott, resulting in massive fines from the ICO, it’s understandable that ‘improving regulatory compliance’ was also another key ROI metric for just under half of UK organisations.
‘Improved security awareness’ was the third most popular metric for measuring value, showing that organisations understand that technology alone won’t help prevent the human-based threats such as business email compromise.