Eight out of 10 executives surveyed acknowledge that their companies had been compromised by cyber attacks in the past two years, according to a new study by KPMG. Yet less than half of the 403 CIOs, CISOs and CTOs the firm surveyed said that they had invested in information security in the past year.
“We’re still seeing companies taking a passive or reactive approach toward cybersecurity, when in fact cyber should be a top-line business issue thought about and practiced company-wide," says Greg Bell, leader of KPMG's U.S. cyber practice. Bell spoke to CIO.com after publishing his “Consumer Loss Barometer" report in July.
The notion that hacked companies are underinvesting in cybersecurity defies logic until you understand that most CIOs are told to prioritize innovation over risk mitigation. Companies grappling with digital transformations are racing to find their own Pokemon Go. CEOs laser focused on growing the business are loath to slow down to reduce risk. Ultimately, cybersecurity fails to become the imperative that it should be.
Lack of oversight courts risk
Underinvestment in cybersecurity means less spending on talent and safeguards to protect companies from emerging threats, including business email compromises and ransomware, in which hackers hijack corporate networks and demand money to relinquish control. In a June survey, security firm Malwarebytes found that 41 percent of U.S. businesses had encountered between one to five ransomware attacks in the previous 12 months. Such attacks threaten to have devastating impact on company brands and, ultimately, bottom lines.
Bell points to a lack of oversight or governance over how CIOs are allocating their budgets. CIOs tasked with investing in technology to grow the business are focused on hiring new digital talent and implementing new solutions to drive innovation and grow the business. But most cybersecurity teams can’t keep up with the pace of technological and business process change. Security teams prefer unchanging infrastructures, which enable them to better set a baseline risk and detect anomalies.
“The need to move fast is critical so companies need to be more agile and embrace some of these newer and more disruptive technologies and look to add more value-added services to their product and service mix,” Bell says. “The problem is that most cybersecurity teams can’t align their value against that. It's a challenge that most of our clients have struggled with over the last several years.”
Bell says that cybersecurity has traditionally been aligned with IT infrastructure but he suggests companies link it to innovation. Ideally, CIOs, chief digital officers and their CISO partners will work to layer in protection as new solutions are baked rather than bolted on after the minimum viable product is launched. He says KPMG tried this model with a few clients and achieved solid results.
Sign up for Computerworld eNewsletters.