A recent research report from Moody’s Investors Service observes that organizations tend to have upped their cybersecurity investments across the board, but that the additional spending is not necessarily leading to better outcomes or more thorough defensive perimeters.
Organizations are almost universally onboarding basic cybersecurity defenses and over half now hold cyber insurance, but spending on “advanced” and “robust” defensive solutions continues to lag. 93% of organizations now have a dedicated cybersecurity manager in place, but the frequency and depth of their interaction varies greatly between companies.
“Basic” cybersecurity investment up, companies still hesitant to spend on “robust” systems
Cybersecurity governance appears to be on the upswing along with general spending, with the majority of organizations now having security management and executives directly interface about IT defenses and remediation plans. However, there are some shortfalls in this arrangement. Communication is better in some organizations than in others, and in many cases stakeholders are being cut out of the loop with cyber episodes reported to boards of directors twice as often as they are to the public.
The data shows that the closer the reporting structure between cyber managers and executives, the more cybersecurity investment tends to occur. Investment in advanced defenses also correlates with the presence of relevant cyber expertise on the board of directors. And the presence of defined cyber objectives in a CEO’s compensation package correlates with tightened reporting structures. But despite these relationships, the actual role and importance of a cyber manager varies greatly from company to company.
93% of all organizations have a cyber manager, and in some specific industries (such as financial services) that number rises as high as 98%, but only about 50 to 70% of these (depending on industry) are reporting directly to the C-suite. Even fewer (33% to 59%) report directly to CEOs. The survey sees most organizations having cyber managers report to CIOs or CTOs instead, which would seem a natural arrangement; however, it finds that this can also create certain conflicts of interest. CIOs and CTOs are beholden to budget concerns just as much as they are security in many organizations, and situations in which a more generalist CSO is in charge of all security can mean that there is less technical expertise at the executive end of this equation.
How many boards do have at least one director with some level of cybersecurity expertise? This is another area that could use improvement as it relates to cybersecurity investment knowledge. Fewer than 50% of organizations have a director with this experience on the board, though it tops 50% in the financial services industry. The median of cyber experience on the board in the infrastructure and public categories sits at 0%. Of the companies that do have this expertise on their boards, a little less than half of the time it is derived from hands-on experience.
