Eight out of 10 executives surveyed acknowledge that their companies had been compromised by cyber attacks in the past two years, according to a new study by KPMG. Yet less than half of the 403 CIOs, CISOs and CTOs the firm surveyed said that they had invested in information security in the past year.
“We’re still seeing companies taking a passive or reactive approach toward cybersecurity, when in fact cyber should be a top-line business issue thought about and practiced company-wide," says Greg Bell, leader of KPMG's U.S. cyber practice. Bell spoke to CIO.com after publishing his “Consumer Loss Barometer" report in July.
The notion that hacked companies are underinvesting in cybersecurity defies logic until you understand that most CIOs are told to prioritize innovation over risk mitigation. Companies grappling with digital transformations are racing to find their own Pokemon Go. CEOs laser focused on growing the business are loath to slow down to reduce risk. Ultimately, cybersecurity fails to become the imperative that it should be.
Lack of oversight courts risk
Underinvestment in cybersecurity means less spending on talent and safeguards to protect companies from emerging threats, including business email compromises and ransomware, in which hackers hijack corporate networks and demand money to relinquish control. In a June survey, security firm Malwarebytes found that 41 percent of U.S. businesses had encountered between one to five ransomware attacks in the previous 12 months. Such attacks threaten to have devastating impact on company brands and, ultimately, bottom lines.
Bell points to a lack of oversight or governance over how CIOs are allocating their budgets. CIOs tasked with investing in technology to grow the business are focused on hiring new digital talent and implementing new solutions to drive innovation and grow the business. But most cybersecurity teams can’t keep up with the pace of technological and business process change. Security teams prefer unchanging infrastructures, which enable them to better set a baseline risk and detect anomalies.
“The need to move fast is critical so companies need to be more agile and embrace some of these newer and more disruptive technologies and look to add more value-added services to their product and service mix,” Bell says. “The problem is that most cybersecurity teams can’t align their value against that. It's a challenge that most of our clients have struggled with over the last several years.”
Bell says that cybersecurity has traditionally been aligned with IT infrastructure but he suggests companies link it to innovation. Ideally, CIOs, chief digital officers and their CISO partners will work to layer in protection as new solutions are baked rather than bolted on after the minimum viable product is launched. He says KPMG tried this model with a few clients and achieved solid results.
Some sectors are more security-focused than others
Bell, who surveyed clients in the automotive, banking, technology and retail sectors, uncovered other interesting tidbits. Turns out that 89 percent of retail cyber executives reported breaches in the past 24 months, followed by automotive at 85 percent, versus 76 percent for banking and technology companies.
[ Related: Whaling emerges as major cybersecurity threat ]
While those differentials were hardly stark, Bell says his research uncovered a "cyber-awareness maturity curve" between sectors such as financial services and tech firms and retail and automobile makers. This is somewhat alarming given retailers' emphasis on mobile and personalized shopping and automotive manufacturers’ focus on building connected cars that increasingly rely on automated driver assistance technologies.
Bell found that banks and technology companies are relatively on their game with regard to bolstering their cyber postures, with 66 percent and 62 percent, respectively, reporting that they had invested in information security. That compares to 45 percent of retailers and 32 percent of automotive manufacturers that claimed to have invested.
Of companies surveyed, 69 percent reported having a cybersecurity leader, such as a CISO, in place. Again, though, a gulf exists between the attention financial services and tech firms pay to cyber versus what their peers in retail and automotive do. For example, 85 percent of both banks and technology companies said they had a CISO or some other position of its ilk compared to 58 percent and 45 percent of retail and automotive companies who fessed up to having a cyber leader.
Matt Comyns, global cybersecurity practice leader for executive recruiter Russell Reynolds Associates, says that some enterprises try to hire average CISOs, or hold off on hiring security leaders entirely because they are in denial about the threat hackers pose toward their organizations. The collective mentality, Comyns says, is one of disbelief that hackers would find their data valuable enough to steal. Comyns says tries to convince them otherwise.
"I still walk in the door of companies searching for a CISO who say: ’Who would come after us, we’re not Target, we’re not Sony?" Comyns says. “I'm not so sure that's the right question."