Cyber Risks: A New Threat for a New Generation
“Many executives are declaring cyber as the risk that will define our generation.” – Dennis Chesley, the global risk consulting leader for PwC, in the “Global State of Information Security Survey 2016”
As organizations are learning to be more strategic in how they approach cybersecurity, three key areas of concern have emerged for 2016: the ability for boards to provide effective governance of cyber risks; the proper funding of the security function; and, finally, security staffing issues, including the positioning of the security function itself within the organization’s leadership structure and rising CISO salaries.
1. Boards and Executive Management
As cyber is now a key recurring topic on board agendas, board directors are asking more critical questions about the organization’s cybersecurity posture and the effectiveness of security initiatives. In his 2014 NYSE address, SEC Commissioner Luis A. Aguilar set a clear tone when he warned that “boards are responsible for overseeing that the corporation has established appropriate risk management programs and for overseeing how management implements those programs.”
One of the ways that boards are getting involved is by participating in the security budgeting process. A key finding of the PwC “Global State of Information Security Survey 2016” was that 46 percent of respondents reported their board participated in information security budgets. Another positive development is that 45 percent of boards participated in the overall security strategy.
However, one of the five key recommendations from the National Association of Corporate Directors (NACD) “Cyber-Risk Oversight Handbook” included ensuring that cyber issues “be given regular and adequate time on the board meeting agenda.” Specifically, boards must “have adequate access to cybersecurity expertise.”
In much the same way one might want to go to a different medical professional to get a second opinion, it’s important for board directors to have access to other, possibly contradicting viewpoints to critically review and analyze information about the organization’s security posture.
However, simple involvement on the part of boards and executive management is not enough to ensure that cyber risks are well-managed. Organizations should assess the extent to which their security capabilities are maturing, evaluate whether cyber risks are integrated within the larger enterprise risk management system and continually examine their organization’s ability to be resilient when it comes to the cyber realm.
2. Security Budgets
One additional recommendation from the NACD’s handbook was that “directors should set the expectation that management establish an enterprisewide cyber risk management framework with adequate staffing and budget.”
From a budgeting perspective, security budgets appear to be doing well, although the numbers vary widely from 2 percent to more than 10 percent of total IT spending:
- For the U.K., a 2014 PwC report found that “large organizations now spend, on average, 11 percent of their IT budget on security; small businesses spend even more of their IT budget on security than large ones with an average of almost 15 percent of their IT budget.” For 15 percent of small businesses, the security spending was as high as 25 percent of their IT budget.
- For Canada, an IBM-sponsored report from IDC showed that “Canadian organizations say they spend an average of just under 10 percent of their IT budget on security technology, outside services and staff.”
- In the U.S., the 2016 PwC study cited above indicated that security budgets in 2015 benefited from a 24 percent boost in funds.
However, two concerns remain for 2016 when it comes to budgeting: Is the security area adequately funded, and who controls the security budget?
A recent study found that “59 percent of IT pros feel that their organization does not adequately invest in IT security,” ZDNet reported. More worrisome is a Ponemon Institute report, the “2015 Global Study on IT Security Spending & Investments,” which said that “only 19 percent of respondents say the IT security leader has control over how resources are allocated. Instead it is the CIO/CTO and business leaders who own the budget.”
3. Staffing and Reporting Lines
Recruiting and retaining talented security staff continues to be an issue going forward. “There is a skills shortage in IT security — and it is reshaping the security market,” noted the Canada-focused IDC study. This issue is true for nearly all security-related positions, from the security technicians all the way to the CISO. Adequate staffing for security was also listed in the NACD recommendations as an area for board directors to be concerned with.
Another concern for boards is the positioning of the security function itself. For example, “the CISO should not report to the CIO,” said Jeff Spivey, the international vice president of the Information Systems Audit and Control Association (ISACA), as quoted by ZDNet. He went on to say, “It’s very difficult to bring up issues to a management level that needs to resolve them. That needs to be offset somewhere else so it’s not an incestuous relationship.”
This sentiment is echoed in an Ernst & Young report: CISOs “should report to the CEO or to another senior manager, not to the chief information officer (CIO),” and the CISO should have “a dotted-line reporting structure to the board itself.”
A recent Forbes article, citing an IDC report, stated that “by 2018, fully 75 percent of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, not the CIO.” For now, it is still most common to find security housed under the CIO, yet boards and executive management should review whether this is appropriate.
Finally, the issue of CISO compensation will continue to garner much attention. The Forbes article mentioned that for an average large city such as Chicago, CISO salaries ranged from $132,000 to $328,000, with the average salary around $214,000. CISOs who feel undervalued are likely to take advantage of this strong market to start looking elsewhere. It is critical for boards and top management to have frank discussions with their CISOs to ensure everyone is on the same page when it comes to compensation.