• United States



Contributing Writer

Cybersecurity as a Business Issue

Mar 24, 20162 mins
Big DataData and Information SecuritySecurity

ESG research data demonstrates that improving cybersecurity is a business – not just an IT – priority. What does this mean for enterprise organizations?

It’s become a cliché in the industry to say that cybersecurity has become a board room-level issue but what evidence do we have to support this claim?  Well, here are a few tidbits from some recent ESG research that certainly lend credibility to the business-driven cybersecurity thesis (note: I am an ESG employee):

  • When asked to identify business initiatives that are driving IT spending, 43% of respondents said, “increasing cybersecurity.”  This was the top business initiative selected followed by “reducing costs” (38%), “improving data analytics for real-time business intelligence” (32%), and “ensuring regulatory compliance” (27%).
  • On a similar vein, survey respondents were asked to identify the most important IT “meta-trend” to their organization.  Forty-two percent of respondents selected, “increasing cybersecurity.”  The next most popular response, “using data analytics for real-time business intelligence,” came in at 17%.
  • 69% of organizations are increasing their spending on cybersecurity in 2016.  These budget increases are being approved by business managers who are now willing to spend more money to improve cybersecurity at their organizations. 

As if the ESG data wasn’t enough, we also know that cyber-insurance policies grew by about 35% last year.  So aside from increasing cybersecurity budgets, business executives are hedging their bets by transferring risk to third-parties.

I view all of this data as good and bad news.  On the positive side, we’ve entered a period where business managers realize that they need good security – not just “good enough” security.  So what’s the bad news?  CISOs must expect to be reviewed more thoroughly based upon business metrics like ROI, cost containment, and continuous improvement.  This is relatively unfamiliar territory for many cybersecurity professionals who grew up managing firewalls and mastering the CISSP Common Body of Knowledge (CBK).

Over the next few years, business managers need to develop greater cybersecurity affinity while CISOs must learn to mitigate risk and detect/respond to incidents in an operationally efficient and measurable manner.  These challenges will determine cybersecurity success or failure across the organization moving forward. 

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author