If you ask anybody who is paying close attention to C-Suites and executive boardrooms, they will tell you that no other position is seeing more dramatic change and facing more scrutiny in the past couple of years than the Chief Information Security Officer, or CISO. With the steady rise in data breaches and other kinds of cyber attacks, businesses in all sectors are feeling the impact of these incidents on the bottom line. This does not even take into consideration the dangers of non-compliance with regulations such as the European Union’s (EU) General Data Protection Regulation (GDPR). Cybersecurity is on every CxO’s lips these days, which signifies a creeping realization in these circles that cybersecurity is a concern that touches every single nook and cranny of an organization, not just technology.
The Cybersecurity Ceiling
A recent study by Deloitte and the Financial Services Information Sharing and Analysis Center found that most financial institutions on average spend 10% of their IT budgets on cybersecurity. This ranged from 6% on the low end to the upper limit of 14%. Whether you are an organization that has decided that your cybersecurity budget is 6% of your IT budget, 14% of your IT budget, or somewhere in between, this study points to a problematic paradigm that is very common in today’s business landscape: For most organizations, whatever they decide their cybersecurity spend should be, it is often some percentage of their IT spend.
This practice has built a cybersecurity ceiling.
Now, you may be asking: What is a cybersecurity ceiling?
Making a cybersecurity budget a percentage of the IT budget is systematically implying that cybersecurity will never be more important than information technology. The limitation of cybersecurity capabilities by tying their budget to the IT budget is that ceiling.
Who Built This Ceiling?
This situation exists because cybersecurity, from its early days, has always been considered a technical domain, nestled comfortably within the boundaries of Information Technology. The rise of information technology changed the way the world lives and, in turn, changed the way the world does business. The perception was that because the future is digital, all our problems and solutions would be digital, as well. Our battles would be waged on this new digital battlefield, so it would simply take technology to fight them. This perception conjured up visions of ones and zeros in executives’ minds. Cybersecurity had to be purely a game for computer scientists and technologists. Historically, CISOs were not really a part of the C-Suite, but reported directly to a CIO.
Drawback: Cybersecurity Dependence on IT Spend
What does this mean, exactly? It means that there are drawbacks to thinking of cybersecurity as a domain of Information Technology.
As an example, if an organization deems that it will scale back growth in information technology for a given year, they have automatically decided to scale back growth in cybersecurity, as well. Although this may end up being a decision the organization would have made to begin with, it is a decision that deserves its own discussion.
Drawback: Technology Solutions to Technology Problems
Another effect of thinking about cybersecurity as a subset of information technology is the penchant for cybersecurity budgets to be spent on technology and tools. Although a great many problems can be solved with technology, sometimes cybersecurity problems are better solved through processes or people. In some cases, technology only adds complexity and overhead to the problem.
It is a tale as old as cybersecurity itself: An organization with a veritable arsenal of cybersecurity technologies that they spent millions of dollars on… and one overworked, underpaid IT guy trying to manage all of it on his own.
The lack of importance given to people as a solution to cybersecurity problems has also fueled a global cybersecurity talent shortage. According to a 2019 study by Herjavec Group, the number of unfilled cybersecurity jobs globally will rise to 3.5 million by 2021. This is being spurred on by undervaluation of the functions a cybersecurity expert can perform in an organization and a lack of budget to fund training for existing employees. Another example of this effect is the prevalence of organizations that operate without a CISO.
Bringing cybersecurity out into its own domain will end the fixation on technology as the sole answer to cybersecurity problems and refocus funds to improving processes and investing into cybersecurity experts.
Cybersecurity is Evolving
As previously mentioned, businesses are starting to catch on that cybersecurity has to do with more than just technology. It is also about processes and people. They are also realizing that cyber attacks impact more than just technology and data, they also impact reputation and finances. This leads everyone to the conclusion that cybersecurity isn’t just a CIO’s problem... it is something that CEOs, CFOs, CTOs, COOs, and any other CXOs have to take into account.
Budgetary decisions over cybersecurity affect all departments of an organization and, as such, should be explored by more than just the CIO. Ultimately, a CEO is responsible for the cybersecurity of their organization and should have a CISO holding a role as important as those who would advise on finance, legal, operations, information technology, and others.
A study by the World Economic Forum observed that businesses are beginning to see cybersecurity as an enabler for the business where it used to see it as an encumbrance. Beyond its benefits of protecting the company from costly data breaches, other types of cyber attacks, and regulatory fines, businesses are starting to view cybersecurity as a competitive advantage, due to consumers’ growing awareness of data privacy and the value of protecting personal data and intellectual property.
Perceptions of Cybersecurity Must Evolve
As the world changes, we are seeing a more connected world. It’s digital. It’s decentralized. It’s smaller. COVID has brought on a work-from-home renaissance that has increased the attack surface of companies that are used to cybersecurity as a practice in protecting perimeters that no longer exist. Data breaches are on the rise and regulators are tightening up guidelines.
As the threat increases on all levels, it is more important than ever for leaders to recognize that cybersecurity is ubiquitous. It is as crucial as it ever was to adopt a holistic approach to protecting our systems and our data.
In the face of cybersecurity’s ever-expanding scope, it is important to recognize that it should no longer live in IT’s shadow. Cybersecurity is its own business domain and businesses need a champion in the C-Suite that sits equal to the other officers at the table. Stakeholders across the organization have to be educated and informed about how cybersecurity affects their part of the business.
In a 2019 survey by Forbes and Fortinet, 200 CISOs were asked which constraints they thought had the greatest impact on their cybersecurity programs and the top five overall were:
- Lack of adequate budget (18%)
- Lack of support from senior management (11%)
- Lack of cooperation by employees (9%)
- Lack of cybersecurity training for non-IT employees (9%)
- Shortage of of skilled cybersecurity workers (8%)
The demand for cybersecurity is becoming more apparent as time goes on. It is becoming clearer that cybersecurity brings a unique value to businesses that deserves its own place. It is time to break the Cybersecurity Ceiling. Organizations that adopt this mindset and adjust their structures accordingly will reap the benefits faster and come out as leaders in this new paradigm.