The days of CEOs regarding data protection technologies and staff as a budget drain and operating tax that stifles innovation are over. Galvanized by high-profile breaches, companies are shelling out more money to shore up corporate defenses. CEOs also recognize that security is table stakes for building digital products and are entrusting their CISOs with more responsibilities.
Fifty-nine percent of 10,000 C-Suite executives polled by PwC for the new Global State of Information Security Survey said they are investing more in cybersecurity, including data analytics, real-time monitoring, authentication tools that include biometrics and managed security services (MSS). David Burg, PwC’s U.S. and global leader of cybersecurity and privacy, says anecdotal evidence also suggests that companies are turning to CISOs to build security into software, including anything from mobile applications to connected cars that exchange information with smartphones.
CEOS leaning more on CISOs
"What's becoming clear is that senior execs -- CEOs, marketing chiefs and others who worry about digital -- are turning to CISOs and saying, OK how do I solve this? It's not can I do it. The decision to do it has already been made. How do I do this in a way that is secure and safe and minds privacy regulations," Burg tells CIO.com. "It's an important pivot. To remain competitive, organizations today must make a budgetary commitment to the integration of cybersecurity with digitization from the outset."
This new mindset has come at great cost to some of the U.S.'s largest brands. Breach post mortems of Target, Home Depot and dozens of other companies revealed that they had underinvested in IT security, ranging from failure to implement proper tools and best practices to lacking CISOs and other key staff. In many cases, the cost of a breach outweighs the cost of protecting corporate assets. But as companies increasingly create digital services, they are both creating more vulnerabilities and storing more consumer data hackers may exploit. The new thinking goes: You can't compete in digital if you can't protect both corporate and customer information.
Traditionally, CIOs have built and implemented IT systems and then asked their CISOs to layer on security tools, including anything from antivirus software to firewalls. CISOs essentially look at a mosaic of technology, see a hole and buy a security product to fill it, says Burg, who has worked on several such implementations in his career. "The CISO has got to figure out how to protect enormous complexity," Burg says. But if there is one thing the swath of breaches shows is that the build-first-protect-later approach is broken.
Sign up for CIO Asia eNewsletters.