The state of IT security, 2018

Every year, CIO conducts its State of the CIO survey. This year’s results are in, and the numbers will help you understand how the CIO role continues to evolve in today’s business climate and define your agenda for 2018.

The complete survey covers a wide range of topics, but for this article we thought we’d focus on security, as breaches are increasingly costly and infosec a crucial part of your tech strategy. This is a question that covers everything from the big picture — who’s in charge of IT security, and to whom do they report? — to the nitty gritty — how big is their budget?

Let’s dive in and see what the numbers tell us.

One of the best ways to see if a company is really prioritizing something is to look at how important the person they put in charge of it is. The exact titles used can be a bit confusing — you have your Chief Security Officers (CSOs), your Chief Information Security Officers (CISOs), and other variants, and their job descriptions can vary from company to company, with CSOs being somewhat more likely to have responsibility for physical security as well as infosec.

By that measure, the record of the companies we surveyed is mixed when it comes to security. 25 percent have a CISO, 11 percent have a CSO, and 17 percent have a top security executive with another title. That means that nearly half of companies have nobody on the executive team in charge of security.

Of course, as anyone who’s engaged in a little corporate infighting knows, often your influence within a company is most clearly defined by who you report to on the org chart. We asked companies with both CSOs and CISOs who that officer reported to, and the results were somewhat illuminating about the differences between the two.

At organizations that had a CSO, about half of those executives reported directly to the CEO or COO, while a quarter reported to the company’s top-level CIO. For CISOs, these reporting structures were almost exactly reversed: about half were under the top-level CIO’s umbrella, and a quarter answered to someone closer to the top. That seems to indicate that CSO is the title with more prestige, at least for now. (For both jobs there were a smattering of other potential bosses, including divisional CIOs and CFOs, the latter perhaps being a legacy of loss prevention falling under that officer’s purview.)

To be most effective, security needs to be baked into the strategy from the beginning. And this isn’t something that’s a secret to most IT execs. We asked our surveyed companies about the integration between their IT security strategy and their IT strategy overall, and more than half (54%) voted for “tightly integrated,” meaning that “IT security strategy is an integral part of our overall IT strategy and roadmaps.” Ten percent said “IT security investments are typically reactive in response to existing IT security challenges or events.”

The IT leaders who answered the survey know this isn’t good enough. When asked how integrated IT security strategy will be with IT strategy three years from now, 82% said the two would be tightly integrated, while only 2% said they would not be integrated.

It’s not atypical for infosec pros to grumble about top execs’ lax attitude about security, but as cyberattacks mount, CEOs are beginning to learn that their job is intimately tied to the potential fallout from security incidents. In fact, “The entire C-suite and board is on the hot seat for security these days,” Matthew Karlyn, Partner, Technology Transactions & Outsourcing Practice, Foley & Lardner LLP told attendees at the CIO Perspectives event in Houston back in 2015.

Maybe that’s why, when we asked CIOs what their CEOs’ top priorities were for them in the coming year, 36 percent had “upgrade IT and data security to avoid cyber attack” in the top three — more than any other response.

In a data point that might conflict a bit with CEOs’ keen interest in avoiding cyberattacks, only 28 percent of surveyed companies said that “Security/Risk Management” was a tech initiative that would drive IT investment at their organization, with the rest of the respondents highlighting other, non-security directions for dollars to flow.

But when we asked what business initiatives were going to drive IT investments, we got a different story: 31 percent said “increase cybersecurity protections,” and another 19 percent said “meet compliance requirements (GDPR, etc.)” — and compliance with rules like the GDPR typically falls under the top security exec’s purview. Perhaps the message is that executives really are seeing security as an integral way of thinking about the business, and not just another set of boxes to buy and software to install.

In 2015, IDC pegged 13.7 percent of a company’s IT budget as the ideal amount to be spending on security, though mounting cybersecurity challenges since then have meant that IT security spending is only going up, and the rest of a company’s budget won’t necessarily keep pace.

Still, most of our respondents’ companies fall short of the ideal: More than half of companies spend less than 10 percent of their IT budget on infosec. A quarter of companies are in that target 10 to 20 percent range.

All these data points might lead you to think that infosecurity is a lucrative field for newly minted IT pros to get into. We asked our respondents about who they’re looking to hire, and their answers won’t change your mind. The companies said that, out of all the areas where they anticipated the most difficulty in finding appropriate skillsets, security and risk management topped the list — 39 percent picked this answer. If you’re looking to break into cybersecurity as a career, now is definitely the time. And if you’re looking to hire — well, we wish you luck.