Here’s how organizations are falling short addressing cyber risk
By: Bob Bragdon | 10/27/2022
Security is finally being viewed as a critical business function by many senior management leaders and boards of directors. It has been on a growth path in that regard for the past five years. But in 2022, our Security Priorities Study shows some structural changes meant to affect better alignment with the business.
In years past it was most common to find security leaders reporting directly to their organization’s CIO. But businesses started to move away from that hierarchy a number of years ago, and in this year’s survey we found that the number one reporting structure for security leaders is to the CEO with 44% having direct or dotted line reporting into that office, followed by 26% of the CIO and a whopping 20% to the board of directors itself.
As noted, the focus on security as a business issue by the board of directors continues to grow with 82% of security leaders reporting regular or frequent engagement with the board, and, in some ways, that engagement is paying off. More than half told us that their work with the board of directors is helping to improve cyber security initiatives at their businesses. One would think this bodes well for security, and in some ways, maybe it does.
So why is our research telling us that 90% of security teams feel that they are falling short in addressing cyber risk? Well, despite the attention from the corporate leadership, in many ways it remains the same issues that we’ve been watching for years: they struggle to convince all their parts of their organizations of the severity of the risks that they face, they’re not investing enough resources to address the risks they face, they struggle to find and retain the technical and professional expertise they need in order to properly manage their risks, and that feel that they’re not proactive enough when it comes to their security strategy.
Security leaders also struggle against those issues that draw attention and resources away from the strategic initiatives that would deliver the most security value for the business. They continue to spend what they feel is too much time focused on meeting governance and compliance regulations. As attacks against their businesses have exploded, they spend more time and money addressing employee awareness and training issues. There are always the unanticipated business risks that are difficult to prepare for, but which require their immediate attention.
Cyber threats which originate from outside of their organizations also require them to focus on more tactical issues. All of these exacerbate what was a difficult environment to begin with, regardless of how much attention they are getting from corporate leadership.
What is it then that’s driving the security challenges that they face? Unfortunately, they seem to be the same issues that come up in our research every year we ask.
- Non-malicious user errors continue to be the number one cause of security incidents.
- Third party risk was a big topic of discussion at our recent CSO50 conference and that was identified as the second greatest challenge. Whether it manifests as a vulnerability in your software supply chain, hardware supply chain, or originated with a business partner, this type of risk can be difficult to detect and mitigate.
- Finally, the problem which has plagued organizations for decades now, unpatched software vulnerabilities. But the reality is that many security teams don’t own patching anymore. It’s incumbent upon them as they build cultures of security within their organizations to impress on the people who do own software patching how important it is to process updates in a timely manner to prevent what we increasingly see as an easy channel of entry for compromise.
As I’ve mentioned, there are a number of speed bumps that lie in the road impeding their efforts to reduce risk. Key among them are the challenges caused by staffing and skills shortages. As we’ve seen in a number of research studies over the past several years, the fallout of staffing shortages, as well as a shortage of experienced, skilled professionals, manifests in higher turnover and employee burnout, from leadership all the way down, as well as unnecessary lapses that can result in security incidents.
Finally, it’s probably no surprise to see that, even in a recessionary economy, security budgets continue to grow. It’s hard to justify cutting back, or even keeping flat, investments when compliance mandates are increasing, and the threat environment continues to grow more challenging. But security teams are getting better at targeting how they’re investing those dollars.
We’re seeing more dollars directed towards:
- Cloud-based security services
- Cloud infrastructure management technologies
- Application development security
- Access controls
- Cloud data protection
All of these are key points of risk for businesses or are designed to mitigate the shortcomings of the capabilities available to them on-prem.
Most troubling, though, is that while security is getting more and more attention as a key element of the business, more resources are being made available to them, and as they invest in new technologies and approaches to risk management, the shortfall of skilled and experienced personnel continues to have a terrible effect on their efficacy and probably explains why so many feel that they continue to fall behind.
To get insight on more research from the 2022 Security Priorities Study, download our white paper here or request a meeting with a Foundry sales executive to walk through the full study on our samples slides page here.