Despite corporate investments to improve cybersecurity, compliance and risk mitigation, many companies are still underprepared for strict regulations and cybersecurity attacks.
The 2018 Harvey Nash Group/KPMG CIO Survey found that 49% of the responding 3,958 IT leaders cited improved security as a priority. Much of this attention is likely reactionary, as one-third of the responding IT leaders reported a major cybersecurity attack in the prior two years. And while 22% considered themselves well-prepared to defend against an attack, 14% reported that their organization is insufficiently prepared and "exposed to a cyberattack in multiple areas."
However, experts are finding a silver lining to this seemingly negative data. The cyberthreat environment and new GDPR regulations are pushing companies to improve cybersecurity, compliance and data privacy practices via increased spending, hiring and investment in cybersecurity-related technology projects.
"There's more pressure at the board level for organizations to protect themselves," said Anna Frazzetto, CTO and senior vice president at Harvey Nash, a global recruitment consultancy and IT outsourcing service provider.
Several headline-making data breaches, ransomware strikes and other malware attacks are heightening companies' efforts to improve cybersecurity.
Certainly, corporate directors and executives have paid attention as costs related to such incidents spiraled upward. The Ponemon Institute reported that the global average cost of a data breach in 2018 is currently 3.86 million, up 6.4% from last year.
Experts said the C-suite's heightened concern over their enterprise security posture also stems from the recognition that modern-day threats aren't only costly, but crippling. A cyberattack significantly damages consumer and employee trust, hurts a company's market share, eats away at profits and returns, and halts operations, said Hardik Modi, senior director of threat intelligence in the research division at NetScout Systems Inc., a provider of application and network performance management products.
Anna FrazzettoCTO, Harvey Nash
Increased regulations, like the newly implemented GDPR, are also pushing security and security-related topics to the forefront of the boardroom and the C-suite.
"These laws are demanding that companies invest in certain cyber priorities," said Steven Stein, principal at KPMG's Cybersecurity Services practice.
Improvements made, challenges remain
Strategies to increase security postures and improve compliance with data protection regulations vary by organizational risk -- which itself varies by industry, said Orson Lucas, managing director of KPMG's Cybersecurity Services practice.
One overarching trend is that organizations -- particularly those with more mature cybersecurity operations -- are investing heavily in next-generation cybersecurity technologies that use artificial intelligence and automation to analyze security-related data points and pinpoint the activities that are the most concerning, Lucas said.
The Harvey Nash/KPMG study also found that many organizations are trying to beef up their security expertise, with demand for security and resilience talent jumping 25% from the 2017 survey. However, the tight IT labor market has 65% of CIO's saying a lack of talent is holding their organizations back from keeping pace with technological change. To assist with the lack of headcount, many respondents reported that they plan to implement automation techniques, the survey found.
Experts say organizations are maturing their overall approach to compliance, cybersecurity, privacy and risk by moving from reactionary operations to proactive practices.
Stein said more organizations are consolidating cybersecurity, data privacy and risk/compliance activities into information lifecycle management. This discipline brings together legal, risk, information security and IT with the expectation that better coordination between them will deliver the best results on all fronts.
"We're seeing a much heavier focus on information governance -- understanding what you have, where it's being transmitted, tracking and managing that," Lucas said. "If done well, it is the core of effective cybersecurity and privacy strategy."
Similarly, Modi said he sees more companies building security operation centers that consolidate related tasks to ensure more efficient, effective execution.
"Executives and boards recognize that there's a maturity cycle everyone is going through [and that] the world is going through together," he said. "So there has been a lot more investment in personnel and processes."
Accentuating the positive
The Harvey Nash/KPMG CIO Survey found that only 15% of the respondents predicted their organization would be GDPR-ready by the regulation's May 2018 deadline, but Lucas said many executives acknowledged that they started their compliance efforts late and, as a result, fell behind. But companies are working to improve: The survey found that about half of the companies have nearly completed their GDPR compliance efforts.
Lucas made a similar observation regarding most of the respondents reporting their systems as ill-prepared for a cyberattack, noting that most companies are still refining their efforts to improve cybersecurity practices.
"A lot of companies may feel ill-prepared -- the attack surface for most companies is significantly bigger now," he said. "In years past, it was just a perimeter problem and [required only] the ability to lock that perimeter down. Now, you have employee devices, people who work remotely, you have increased access by third-party vendors and partners. At the same time, the attacks are increasingly complex and the attackers are increasingly focused and well-funded."
Frazzetto echoed that organizations are dealing with increased attack surfaces, more complex IT infrastructure and exponentially more data than ever before, yet they continue to improve cybersecurity and privacy practices.
"There was very little fluctuation year over year, so I walked away and said that's good news," she added. "That means that instead of it growing exponentially, which you'd anticipate with all the changes taking place, we've actually been able to control it."