A new research study from SMU’s Darwin Deason Institute for Cyber Security finds that executives are changing the way they manage and invest in cybersecurity, moving away from limited, reactive approaches and adopting systemic risk management frameworks that combine hardware, software and operations protocols to mitigate cyber risk.
The study, Identifying How Firms Manage Cybersecurity Investment, was sponsored by IBM Security and based on a semi-structured survey of 40 executives across financial, retail, healthcare and government sectors. Participants, most of whom were chief information security officers, were selected primarily from large firms.
The study revealed several signs of increasing support for cybersecurity programs, including:
- More than 80 percent of those interviewed reported broad and increasing support among senior-level management and corporate boards for their cybersecurity efforts
- Eighty-eight percent of respondents reported that their security budgets have increased
- The majority of respondents cited news coverage of large and harmful security breaches as the driver of that support
- In an interesting twist of perception, while 46 percent of interview subjects believe their organization is spending the right amount of money on cybersecurity, 64 percent reported that their peers were spending too little
While most of those surveyed said getting funding for their cybersecurity efforts is not a hurdle, many executives talked about the difficulty they experience in finding and hiring skilled cybersecurity personnel. And while findings were similar across most of those interviewed from the private sector, the relatively small number of government executives surveyed noted that the lengthy budgeting processes they must work through make it difficult to react quickly to the emergence of new threats.
“Cybersecurity is more than a technology challenge,” says Fred Chang, director of the Deason Institute in SMU’s Bobby B. Lyle School of Engineering. “Dealing with the landscape as it exists today means making decisions within specific management cultures and understanding what drives the decision-making process. By explaining the move from compliance to risk-based cybersecurity programs we see in many C-suites, this report connects the dots for people making important decisions about what it takes to maintain privacy, financial security and operating capability – all of which are vulnerable.”
The widespread use of security frameworks shows a general maturation of cyber risk management, the study notes.
“Companies are realizing that simply checking the box for compliance requirements is no longer a sufficient security strategy,” says Bob Kalka, Vice President, IBM Security. “Hackers are becoming increasingly sophisticated in the battle for corporate data, and the survey results show that companies are evolving their security to keep pace. The increasing use of strategic, risk-based frameworks is a huge step forward in protecting these organizations most critical assets.”
“This report is powerful information for anyone guiding cybersecurity decisions today,” Chang says. “And it’s a good example of the kind of interdisciplinary focus the Deason Institute brings to the table.”
Chang joined SMU’s Lyle School of Engineering in September 2013 with the goal of creating a cybersecurity program that takes an interdisciplinary approach to what is frequently perceived as a strictly technical issue. The Deason Institute, launched in January 2014, provides SMU and the Lyle School with the critical resources to advance that goal. Chang’s career spans service in the private sector and in government, including as the former Director of Research at the National Security Agency (NSA).