Security incidents are now headline news in national publications. Regulators are issuing fines that now reach the hundreds of millions of pounds. All against a backdrop of increasingly sophisticated and numerous threat actors hankering after your data.
Computerworld and CSO recently conducted a survey of 200 IT leaders from major UK enterprises to explore the state of cybersecurity within British organisations, including the main threats, key investment areas and what is driving the security agenda. The full results are published in our new report, The State of Enterprise Security.
Security budgets are on the up
With security incidents now making regular headlines and the threat landscape becoming ever-more complex and difficult to manage, cybersecurity is only growing in importance within the boardroom. As a result, spending is up, with 66 percent of organisations surveyed saying their budgets had risen in the last year, with a quarter of organisations reporting a 'significant' increase over the previous 12 months. Around a third (28 percent) saw no change in budget, while just five percent reported a decrease.
Click here to download Computerworlds’s new report, The State of Enterprise Security, now.
For most companies the security function still only represents a small portion of the overall IT budget. Around two-thirds of businesses surveyed spend less than 10 percent of the IT budget on cybersecurity-related technology and activities. Most of the rest dedicated between 1-20 percent of their budget towards security.
Only a fraction (3.5 percent) of companies dedicate more than a fifth of their overall IT budget towards the security function. While a higher security-to-IT ratio may indicate how seriously a company takes its cyber risk, budgets are relative and unique to each organisation, and do not necessarily reflect effectivity.
Cloud woes drive investment
Despite the important role the cloud is playing in digital transformation efforts for companies of all shapes, sizes, and industries, security teams remain skeptical. Over 40 percent of organisations agreed with the statement that ‘cybersecurity concerns have stopped my company from moving specific IT applications into the public cloud’, and it should be little surprise that ‘cloud security’ was listed as the main area of cybersecurity technology enterprises are looking to invest in.
Beyond the cloud, endpoint protection, threat intelligence, multifactor authentication, encryption, and firewalls were all listed as the key areas of investment for UK enterprises this year. Ninety percent of organisations claim that artificial intelligence and machine learning will be important in helping combat security threats in the future and was also in the top 10 areas of investment for companies in the coming year.
The problem of people in security
A massive 98 percent of respondents agreed with the statement: ‘The human employee is the weakest link when it comes to cybersecurity’, and this is reflected in the threats organisations were most concerned about. Social engineering, phishing, and business email compromise – all attacks which rely on people falling prey to manipulation and trickery – were listed amongst the key concerns faced by enterprises. Insider threats, malware, and DDoS attacks were also cited as threats companies worried most about.
Technology-based solutions can only do so much to fix human problems, yet 40 percent of respondents said security awareness in their organisation was merely adequate. To remedy this, 85 percent of the companies surveyed stated they were utilizing security awareness training to reduce human error. ‘Improved security awareness’ was the one of the most popular metrics for measuring value of security investments.
Breaches are inevitable
Measuring the value of security investments can be difficult for security professionals, especially if the executive leadership view the security function as a cost center rather than a business enabler.
At the same time, the cost of failure is increasing ever higher. According to IBM & Ponemon’s cost of a data breach study, breaches cost UK enterprises an average of $3.88 million each time. And with most organisations in the study agreeing with the idea that ‘breaches are inevitable’ it makes sense that damage reduction is a more important metric to measure than prevention. ‘Reduced cost per incident’ was the key metric companies said they use to measure the business value of security investments.
With high-profile incidents affecting enormous enterprises such as BA and Marriott, resulting in massive fines from the ICO, it’s understandable that ‘improving regulatory compliance’ was also another key ROI metric for just under half of UK organisations.