January 15, 2016 By Christophe Veltsos 4 min read

Cyber Risks: A New Threat for a New Generation

“Many executives are declaring cyber as the risk that will define our generation.” – Dennis Chesley, the global risk consulting leader for PwC, in the “Global State of Information Security Survey 2016

As organizations are learning to be more strategic in how they approach cybersecurity, three key areas of concern have emerged for 2016: the ability for boards to provide effective governance of cyber risks; the proper funding of the security function; and, finally, security staffing issues, including the positioning of the security function itself within the organization’s leadership structure and rising CISO salaries.

1. Boards and Executive Management

As cyber is now a key recurring topic on board agendas, board directors are asking more critical questions about the organization’s cybersecurity posture and the effectiveness of security initiatives. In his 2014 NYSE address, SEC Commissioner Luis A. Aguilar set a clear tone when he warned that “boards are responsible for overseeing that the corporation has established appropriate risk management programs and for overseeing how management implements those programs.”

One of the ways that boards are getting involved is by participating in the security budgeting process. A key finding of the PwC “Global State of Information Security Survey 2016” was that 46 percent of respondents reported their board participated in information security budgets. Another positive development is that 45 percent of boards participated in the overall security strategy.

However, one of the five key recommendations from the National Association of Corporate Directors (NACD) “Cyber-Risk Oversight Handbook” included ensuring that cyber issues “be given regular and adequate time on the board meeting agenda.” Specifically, boards must “have adequate access to cybersecurity expertise.”

In much the same way one might want to go to a different medical professional to get a second opinion, it’s important for board directors to have access to other, possibly contradicting viewpoints to critically review and analyze information about the organization’s security posture.

However, simple involvement on the part of boards and executive management is not enough to ensure that cyber risks are well-managed. Organizations should assess the extent to which their security capabilities are maturing, evaluate whether cyber risks are integrated within the larger enterprise risk management system and continually examine their organization’s ability to be resilient when it comes to the cyber realm.

2. Security Budgets

One additional recommendation from the NACD’s handbook was that “directors should set the expectation that management establish an enterprisewide cyber risk management framework with adequate staffing and budget.”

From a budgeting perspective, security budgets appear to be doing well, although the numbers vary widely from 2 percent to more than 10 percent of total IT spending:

  • For the U.K., a 2014 PwC report found that “large organizations now spend, on average, 11 percent of their IT budget on security; small businesses spend even more of their IT budget on security than large ones with an average of almost 15 percent of their IT budget.” For 15 percent of small businesses, the security spending was as high as 25 percent of their IT budget.
  • For Canada, an IBM-sponsored report from IDC showed that “Canadian organizations say they spend an average of just under 10 percent of their IT budget on security technology, outside services and staff.”
  • In the U.S., the 2016 PwC study cited above indicated that security budgets in 2015 benefited from a 24 percent boost in funds.

However, two concerns remain for 2016 when it comes to budgeting: Is the security area adequately funded, and who controls the security budget?

A recent study found that “59 percent of IT pros feel that their organization does not adequately invest in IT security,” ZDNet reported. More worrisome is a Ponemon Institute report, the “2015 Global Study on IT Security Spending & Investments,” which said that “only 19 percent of respondents say the IT security leader has control over how resources are allocated. Instead it is the CIO/CTO and business leaders who own the budget.”

3. Staffing and Reporting Lines

Recruiting and retaining talented security staff continues to be an issue going forward. “There is a skills shortage in IT security — and it is reshaping the security market,” noted the Canada-focused IDC study. This issue is true for nearly all security-related positions, from the security technicians all the way to the CISO. Adequate staffing for security was also listed in the NACD recommendations as an area for board directors to be concerned with.

Another concern for boards is the positioning of the security function itself. For example, “the CISO should not report to the CIO,” said Jeff Spivey, the international vice president of the Information Systems Audit and Control Association (ISACA), as quoted by ZDNet. He went on to say, “It’s very difficult to bring up issues to a management level that needs to resolve them. That needs to be offset somewhere else so it’s not an incestuous relationship.”

This sentiment is echoed in an Ernst & Young report: CISOs “should report to the CEO or to another senior manager, not to the chief information officer (CIO),” and the CISO should have “a dotted-line reporting structure to the board itself.”

A recent Forbes article, citing an IDC report, stated that “by 2018, fully 75 percent of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, not the CIO.” For now, it is still most common to find security housed under the CIO, yet boards and executive management should review whether this is appropriate.

Finally, the issue of CISO compensation will continue to garner much attention. The Forbes article mentioned that for an average large city such as Chicago, CISO salaries ranged from $132,000 to $328,000, with the average salary around $214,000. CISOs who feel undervalued are likely to take advantage of this strong market to start looking elsewhere. It is critical for boards and top management to have frank discussions with their CISOs to ensure everyone is on the same page when it comes to compensation.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today