New CSO benchmark reveals security priorities

58 large organisations share their security spending, priorities, and other findings to help smaller organisations make better security decisions

9 prioritization

A benchmarking exercise for business and technology leaders across Australia and New Zealand aims to enable CIOs to better allocate and manage cyber security resources.

The CISO Lens Benchmark 2019 drew on responses from 58 organisations that between them employ close to 1 million people and that spent more than A$18 billion on ICT in 2019. Fifty were from Australia, eight from New Zealand. Among them they had more than 3,000 full-time security employees.

The benchmarking was undertaken by CISO Lens, a forum for CISOs of large Australian and New Zealand organisations.

Key findings on security facts and figures

Average spend. The average security spend was A$2,412 per full-time employee, but technology companies spent A$4,252 and financial organisations A$3,248.

CISO Lens managing director James Turner also flagged the breakdown of security spend between capex (32 percent) and opex (68 percent) and between ‘projects’ (40 percent) and ‘business as usual’ (60 percent). “What a lot of organisations do, particularly if they’re run by an extremely technical CIO, is they'll buy a tool but then forget that they'll actually need to maintain it through time. That means staff need to be trained, staff need to be given the time to extract value from the tool. And if a staff member moves on, they need other staff to be trained.

“That's the big 60 percent. But then there's the 40 percent projects … keeping up with what everyone else is doing. The criminals don't just sit back and say, ‘That’s it, we’re done for the year. We'll see you again in 2021.’”

All but two of the CSOs provided their security spend for the forthcoming 12 months, A$1.1 billion in total. The largest eight made up 51 percent of the total. Sixty-five percent expected to increase budget in the next year. The average increase reported was 18 percent. Security budgets averaged 6.3 percent of total IT budgets.

cisolens2019 priorities CISO Lens 2019 public report

Percentages add up to more than 100 percent because respondents were asked for their top three priorities. The yellow categories has the most nominations as No. 1 priorities.

Top priorities. Respondenets were asked to name their top three priorities. Identity and access management (IAM) and operational technology (OT) — including internet of things — are highlighted due to the high priority participants gave them. OT had the highest level of participants nominating it as their No. 1 priority. IAM was the second highest for being nominated as the No. 1 priority, and it also had the highest rate of No. 2 nominations.

CSO position. The benchmark identified one of its key finding as the level of the CSO in the company hierarchy. It found 43 percent of CSOs reporting to a CIO, CTO or COO who reported direct to the CEO.

“Fifty-eight percent of respondents were one step or less removed from the CEO. This is a clear statement from these organisations on the importance of making expert advice easily — and continually — available to the executive. … [and] 43 percent of the benchmark participants were reporting to a CIO/CTO/CDO that was reporting directly to the CEO. … This is important because it is an indicator that in these organisations both technology and security are likely viewed as strategic capabilities,” the report said.

Turner said breaks in this chain could have dire consequences for cyber security. “I saw one horrible instance where the CISO was reporting to the CIO who was reporting to the CEO. Then the CIO brought in someone between them, and that new executive’s sole KPI, which would equate to 80 percent their salary, was based on cost reduction. You can imagine how that turned out for the poor CISO.”

Outsourcing panned. The study identified what it said was “most surprising finding” as being dissatisfaction with outsourcing. Those organisations that reported insourcing as their primary approach were broadly satisfied Half of those outsourcing either for outcomes or resources) planned to increase their insourced capability in some way.

“The implication for the industry is that a substantial number of organisations are looking to improve their internal capabilities with more people, and they are all fishing from the same pond,” the report said. “There is a clear requirement for ongoing talent pipeline development — both young people coming into the workforce, as well as searching across professional domains for people with aptitude and transferable skills.”

Top security vendors. Respondents were asked to list their top five vendors that helped support the security and resilience of their organisation. The four that received the most nominations were:

  • Symantec: 21 nominations. The benchmarking was undertaken before official disclosure of Broadcom’s acquisition of Symantec.
  • Microsoft: 20 nominations
  • Cisco Systems: 11 nominations.
  • Amazon Web Services (AWS): 9 nominations

Background on the report

Turner said the report was not meant to be statistically significant. “It is highly representative of an extremely small group ... [but] these are the companies that have taken the time and resources to create [the CSO/CISO] role and, usually, the team underneath them and all the reporting structures and governance that gets wrapped around that.”

The 2019 benchmarking grew from a smaller exercise CISO Lens undertook in 2018 with the CISOs of 11 critical infrastructure organisations. “The data [from the first benchmark] kept on coming up in conversations with CIOs. ‘Are we spending enough, too much or not enough?’” Turner said. “That's one of their burning questions. Boards are particularly interested because they want to know that they're doing the right thing. … You'll often get CEOs and CFOs saying; ‘Where’s the baseline? We want to be just behind that.’”

Participating CISO received a more comprehensive version of the benchmarking report late last year. “[The participating CISOs] are happy for me to release this public version because they recognise there are other organisations out there that still need to be putting up a good response to cyber risk,” Turner told CSO Australia.

Turner runs a CIO group, the CIO Cyber Risk Network, on behalf of research and advisory firm IBRS.

Copyright © 2020 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022