a recent Investigation report Moody’s Investors Service notes that organizations tend to have increased their cybersecurity investments across the board, but that the additional spending does not necessarily lead to better results or more complete defensive perimeters.
Organizations are almost universally incorporating basic cyber security defenses and more than half now have cyber insurance, but spending on “advanced” and “robust” defensive solutions continues to lag. 93% of organizations now have a dedicated cybersecurity manager, but the frequency and depth of their interaction varies greatly between companies.
Investment in “basic” cybersecurity rises, companies still hesitant to spend on “robust” systems
Cyber security governance appears to be on the rise along with overall spending, and most organizations now have security management and executives interacting directly over IT defenses and remediation plans. However, there are some shortcomings in this arrangement. Communication is better in some organizations than others, and in many cases, stakeholders are left out of the loop with cyber episodes reported to boards twice as often as the public.
The data shows that the closer the reporting structure between cyber managers and executives, the more investment in cyber security tends to occur. Investment in advanced defenses also correlates with the presence of relevant cyber expertise on the board of directors. And the presence of defined cyber targets in a CEO’s compensation package correlates with more stringent reporting structures. But despite these relationships, the actual role and importance of a cyber manager varies greatly from company to company.
93% of all organizations have a cyber manager, and in some specific industries (such as financial services) that number rises to 98%, but only about 50-70% of these (depending on the industry) are reporting directly to the C-suite. Even fewer (33% to 59%) report directly to CEOs. The survey shows that most organizations have cyber managers who report to CIOs or CTOs, which would seem like a natural arrangement; however, you find that this can also create certain conflicts of interest. CIOs and CTOs are subject to budget concerns as much as security in many organizations, and situations where a more generalist CSO is in charge of all security can mean there is less technical expertise at the executive end of this equation. .
How many boards have at least one director with some level of cybersecurity experience? This is another area that could use improvement when it comes to cyber security investment knowledge. Fewer than 50% of organizations have a director with this board experience, although it exceeds 50% in the financial services industry. Median board cyber experience in the infrastructure and public categories sits at 0%. Of the companies that have this experience on their boards, a little less than half the time it derives from hands-on experience.
Public disclosure suffers from a lack of transparency
The report notes that public disclosure of cyber incidents is not a transparent process and that this is another area where organizations vary greatly in their reporting procedures. There are no universal standards, and most industries (with the exception of public organizations) are hesitant to voluntarily inform the public: only 33% of financial services companies have done so in the last two years, and only 9% of infrastructure companies. On the other hand, industries vary with 30% to 50% reporting an incident to the board of directors during that time.
The report finds that this is generally due to regulation setting the internal tone, because categories of businesses that have special reporting rules show higher rates of public disclosure.
Investment in cybersecurity tends to basic measures
Eighty-six percent of respondents said they have had at least one full-time cyber specialist on staff since 2019, with an additional 4% planning to add one by the end of 2022. Team size has also increased steadily since 2018. The investment Overall cybersecurity soared 15% in 2019 and another 17% in 2020. And while there is still substantial room for growth (particularly in the public sector), the number of organizations that include cybersecurity as a discrete budget item has also increased during this time.
While there is a clear increase in cybersecurity investment across the board, it is leaning towards basic defensive measures: vulnerability scans, development of incident response plans, implementation of multi-factor authentication across the organization, weekly backup systems and periodic cyber risk assessments. None of these are bad things, but there is a tendency in most industries to ignore advanced methods, with some standing out in particular. The public sector lags behind all other organizations in nearly every method surveyed, with very few (only around 10%) using penetration testing. The financial services industry is by far the best when it comes to adopting advanced defenses.
Some of the increased investment in cybersecurity is also going to independent cyberinsurance; 65% of public sector organizations have specialized cyber coverage, as do 57% of financial services companies. No industry is below 46% in this category.