Despite the pandemic, boards are increasing investment in security, and organizations expect their security budgets to expand over the next year.
Of the 900 global chief information security officers and information technology decision-makers tapped for Thycotic’s CISO Decisions survey, 77 percent said their boards have okayed investment in new security projects. The sentiment is driven primarily by security incidents in their companies or fear they would fail a compliance audit.
“Our survey found that 58 percent of IT security decision-makers say their organizations plan to add more security budget in the next 12 months,” Joseph Carson, chief security scientist and advisory CISO at Thycotic, told SC Media. “I believe this was a path and direction most organizations have been going down, however it was always a lower priority.”
But the pandemic “has accelerated the investment into both cloud and remote working budgets, which includes the need for secure remote access and the ability to access from any location,” Carson said.
At the same time, having a CISO on the board helps ensure technology that supports remote working environments are also secure by design,” he added.
That’s good news indeed for forward-looking CISOs trying to pace with industry developments and peers in their sectors. Seventy-five percent of those surveyed want to try innovative new tools while 46 percent use other companies in their sector as the benchmark for their own purchases.
But getting the board to invest isn’t a given. Thirty-seven percent of those surveyed said their proposed investments were nixed because the board found the perceived threat to be low risk or they didn’t see enough of a return on investment. And, 33 percent said senior management universally doesn’t understand the scale of threats.
Whether a board can be moved to invest often depends on how persuasive CISOs are in communicating compliance risk. “If it is done in a way that shows the financial exposure, it shows that it is a real business risk that must be reduced,” said Carson. “The CISO needs to be able to speak the same language as the board, and compliance exposure is a way that the CISO can effectively show tangible financial risks.”
Nevertheless, Carson believes that boards’ understanding of risk is improving and security leaders must improve the way they convey business ROI from investments. “All security teams need a business financial risk analyst who can convert security risk into business risk,” he said.