New research from F5 finds only 51% of companies have organization-wide IT security strategy
IT security increasingly becomes a priority, CISOs influence within companies is growing; however, security strategy in many organizations is still largely reactive and not yet aligned with business functions.
Latest report from F5 Networks at Singapore International Cyber Week finds:
Sixty-eight percent of respondents say CISOs have the final say in all IT security spending, while a slightly smaller number (64 percent) say they have direct influence and authority over all security expenditures in their organizations. Eighty-seven percent of respondents say the IT security budget has increased significantly (18%), increased some (29%), or has not changed (40%).
Fifty-eight percent of respondents indicate IT security is a standalone function and only 22% say security is integrated with other business teams, while 45 percent say their security function does not have clearly defined lines of responsibility. Seventy-five percent of respondents say that due to the lack of integration with business functions, turf and silo issues have either a significant influence (36%) or some influence (39%) on IT security tactics and strategies.
Sixty percent of respondents believe their organizations consider security to be a business priority, yet only 51% say their organization has an IT security strategy, and of those only 43% say that strategy is reviewed, approved and supported by other C-level executives. The findings indicate that change in security programs is largely reactive, with material data breaches (45%) and cyber security exploits (43%) the top two events that get attention from other senior executives.
Sixty-five percent of respondents say CISOs communicate directly with senior executives, but rarely is it strategic discussion of all threats to the organization. Forty-six percent admitted communication with the CEO and board of directors solely happens in the event of material data breaches and material cyber-attacks while only 19% report all data breaches to the CEO and board of directors.
The report cites, a talent shortage in IT security continues to loom large for CISOs. The average headcount of IT security personnel will increase from 19 to 32 full-time (or equivalent) employees over the next two years, with nearly half (42%) feeling their current staffing is not adequate. Fifty-eight percent say they have difficulty hiring qualified security personnel, with the biggest challenges identifying and recruiting qualified candidates (56%) and an inability to offer a market-level salary (48%). These challenges are pushing companies to look elsewhere for solutions – half of respondents (50%) believe computer learning and artificial intelligence can address staffing shortages, and 70% believe these technologies will be important to their IT security functions in two years.
The report was conducted by the Ponemon Institute with F5 Security; the findings were based on interviews with senior-level IT security professionals at 184 companies in seven countries: The United States, the United Kingdom, Germany, Brazil, Mexico, India and China.
“This research provides a unique view into how CISOs are operating in today’s challenging environment,” said Mike Convertino, Chief Information Security Officer at F5. “It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. Yet in many organizations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”