2021 IDG Security Priorities study outlines current organizational security structure, evolving operational technology risks, and security incidents driving investments

Boston, Mass. – October 20, 2021 – IDG Communications, Inc. – the world’s leading tech media, data, and marketing services company – releases the 2021 IDG Security Priorities research, which outlines the security-related priorities IT and security leaders are focused on now and in the coming year. In its 5th year, this study shares insight into the structure of security organizations, the variety of risks that businesses are presented with, and the specific security solutions being invested in to combat these threats.

Status of Security Structure and Responsibilities

The 2021 research found that businesses continue to add security-focused individuals to their executive leadership – 67% of organizations say that their company has a CSO, CISO or top security executive, which is up from 61% in 2020. These executives are also seeing marked elevations in their reporting structures as they increasingly report directly to the CEO and Board of Directors. Currently, 44% of security leaders say they report to the CEO which is up from 34% in 2020, and 21% to the Board of Directors which is also up from 12% last year.

As businesses seek to consolidate their risk management efforts, the research shows that security leaders are being handed the reins of physical security – 57% say they are involved in both IT and corporate/physical security decisions, up from 52% in 2020. Close to a quarter (22%) say that these responsibilities have been added to their role within the past three years, while 43% say it’s been a part of their role for more than three years, and an additional 11% expect physical security to fall into their realm of duties within the next 12 months.

Operational technology (OT) describes the systems that run industrial and manufacturing equipment. In the wake of attacks impacting OT environments, like the Colonial Pipeline breach, businesses are increasing their focus on the protection of their OT environments. But they are finding significant vulnerabilities and environments that are difficult to patch and protect. Forty-five percent of businesses with OT environments report that those environments are connected to their IT environment, as opposed to being air-gapped. More than a third (35%) of security leaders report that the risks to their OT environment are increasing, and 38% have identified that the current level of risk associated with their OT environment vulnerabilities is significant or grave.

“As businesses grow to rely more on their OT environments, tying them into their IT environments to enable business efficiencies, we’re more likely to see attacks against IT flow over into OT, just like what we saw with Colonial Pipeline,” says Bob Bragdon, SVP/Worldwide Managing Director, CSO. “Risk areas like this will continue to drive security leaders’ focus on building resilience to address the variety of threats they face.”

Insight into Security Incidents & Short Falls

Overall, 91% of security leaders report that they understand the causes of their security incidents in the past year – up from 87% in 2020, but that growing awareness doesn’t seem to be translating into reduced risks to the business. While the majority say that most security incidents were due to non-malicious user error (fell victim to phishing or unintended policy violations), and despite organizations’ focus on security awareness among end-users, the past year has seen an explosion in ransomware attacks. Additional sources of security incidents include unpatched software vulnerabilities, security vulnerabilities at third-party individuals or organizations, and misconfiguration of services or systems either on- or off-premises.

Despite businesses getting better at identifying the root causes of their security incidents, 90% believe they are falling short addressing their cyber risks – which is up from 87% last year. Security leaders state:

  • They have difficulty convincing all, or parts, of their organization of the severity of the risks they face (30%)
  • Are not investing enough resources to address these risks (29%)
  • Are not proactive enough when it comes to their security strategy (27%)
Exploring and Investing in Security Tools to Combat Cyber Risks

In order to assess their shortfalls and lessen security incidents, organizations continue to invest in security solutions – 90% say that their organization has added at least one security tool in the past 12 months. Only 2% expect their security budget to decrease in the next 12 months, while 44% expect it to increase and 53% say remain the same. There is slight difference here by global region – 50% of EMEA security leaders expect their security budgets to increase with only 1% expecting a decrease; 45% of NA respondents expect an increase and 2% anticipate a decrease; however the majority (61%) of APAC respondents expect their security budgets to remain the same, with only 38% expecting an increase. Overall, their spending is being prioritized by best practices, compliance/regulations, and the evolving risks posed by changing workforce or business dynamics. The top security technologies that security leaders are actively researching are:

  1. Zero Trust technologies
  2. SOAR (security orchestration, automation and response)
  3. SASE (secure access service edge)
  4. Deception technology.

Additionally, they plan to increase their investment in:

  1. Cloud data protection
  2. Access controls
  3. Cloud-based cybersecurity services
  4. Data analytics

to help them combat security risks.

“While organizations continue to add more and more security tools, it’s also becoming apparent that they do not have processes in place to evaluate the effectiveness of their solutions,” says Bragdon. “Security teams need assistance from security vendors and consultants to ensure they are actively improving the utilization of their products and services, and rationalizing their investments, so they are appropriately prepared to respond to security incidents.”


Join the Conversation
To better leverage your valuable solutions and thought leadership in front of CISOs and security buyers as they engage with their peers, learn about becoming a sponsor at the CSO50 Conference & Awards – being held virtually November 16-18, 2021.

About 2021 IDG Security Priorities Study
IDG’s 2021 Security Priorities Study was conducted among the audience of five IDG brands (CIO, Computerworld, CSO, InfoWorld and Network World). The survey was fielded online to gain a better understanding of the various security projects organizations are focused on now and in the coming year. The research also explores the issues that will demand the most time and strategic thinking for IT and security teams, as well as the services that are managed in-house versus outsourced. Results are based on 772 global respondents who are involved in IT and/or corporate/physical security decisions.

About IDG Communications, Inc.
IDG Communications’ vision is to make the world a better place by enabling the right use of technology, because we believe that the right use of technology can be a powerful force for good.

IDG is a trusted and dependable editorial voice, creating quality content to generate knowledge, engagement, and deep relationships with our community of the most influential technology and security decision-makers. Our premium media brands including CIO®, Computerworld®, CSO®, InfoWorld®, Macworld®, Network World®, PCWorld® and Tech Hive® engage a quality audience with essential guidance on the evolving technology landscape.

Our trusted brands, global first-party data intelligence and Martech platforms (Triblio and KickFire) identify and activate purchasing intent, powering our clients’ success. We simplify complex campaigns that fulfill marketers’ global ambitions seamlessly with consistency that delivers quality results.


Stacey Raap
Marketing & Research Manager
IDG Communications, Inc.