Organizations are showing more interest in cybersecurity through executive involvement and higher spending. Nevertheless, the added attention is new and more resources need to be directed at defending against cyberattacks, a study shows.
Last year, no information security professionals said they reported to senior executives. Today, 35 percent report quarterly on the state of information security to the company board and the chief executive and about 10 percent report monthly, according to this year's Global Information Security Survey from consultancy Ernst & Young.
While the upper echelon is paying more attention, they are still not spending enough to defend against cyberattackers, who are increasingly more sophisticated, according to the survey of senior executives in more than 1,900 companies and government organizations.
Half of the respondents planned to increase their cybersecurity budget by 5 percent or more over the next 12 months, yet 65 percent cited insufficient funds as their number one challenge to operating at a security level expected by their companies. For businesses with revenues of $10 million or less, the number dissatisfied with funding rose to 71 percent.
A larger percentage of budgets need to be directed at security innovation and emerging technologies within the enterprise, such as the use of mobile devices and social media, the survey found. Over the next 12 months, 14 percent of security budgets are being allocated to new technologies, yet respondents said they were unsure whether they were ready to handle the risks posed by corporate use of social media.
"Organizations need to be more forward-looking," Ken Allan, EY global information security leader, said in a statement.
Data protection is being taken much more seriously within organizations. Rather than being treated as a line item in a contract or something left to third parties, as seen in previous surveys, three quarters of respondents were mandating self-assessments or commissioning independent external assessments.
As the attention given to cybersecurity grows, so does the need for skilled professionals. Unfortunately, the available pool of talent is insufficient. Half of the respondents cited a lack of skilled workers as a barrier to meeting all security priorities.
The scarcity of talent is not being properly addressed by an increasing number of executives, the survey found. The percentage of respondents citing a lack of executive awareness or support rose to 31 percent this year, from 20 percent in 2012.
"A lack of skilled talent is a global issue," Allan said. "It is particularly acute in Europe, where governments and companies are fiercely competing to recruit the brightest talent to their teams from a very small pool."
To become more efficient in cybersecurity, EY is recommending that businesses take time to understand the attackers targeting them and then decide on the defense strategies and technology.
Sign up for CIO Asia eNewsletters.