Tatum LLC announced the results of its second quarter Survey of Business Conditions, an executive survey based on the opinions of Tatum’s CFO partners and external CFOs, which focused on the issue of cybersecurity and how leaders are working to protect their organizations from the impacts of cyber breaches and intrusions. Most recognized serious threats to their companies, but reported that there was more work to be done to protect critical business information.
The results show strong consensus around the ability of respondents’ companies to identify their most critical information assets and information systems, with more than seventy percent asserting they have effectively prioritized cyber risks. However, there is much less agreement when asked if their personnel understand that cybersecurity is everyone’s job; nearly forty percent disagreed that their frontline personnel are trained to understand the value of the information assets they touch each day.
At the same time, almost half (forty-eight percent) of respondents reported that cybersecurity is not managed like an enterprise risk demanding an integrated strategy, involving risk analysis and presented in regular executive-level and board discussions. This indicates significant room for improvement in how companies contend with cybersecurity risks. Moreover, slightly more than half (fifty-five percent) of CFOs surveyed indicated that CEOs or other members of the senior leadership team are actively engaged in cybersecurity strategy decision-making, while forty-four percent report that their senior leaders are not involved in such activities.
Suzanne Donner, managing partner, Knowledge Management for Tatum, observed, “Our finding that a large number of CFOs acknowledging that companies could be mitigating the dangers of increasing cybersecurity risks more effectively highlights the need for greater strategy around this growing concern.”
The report noted that:
• Forty-four percent of the executive leadership described cybersecurity as a significant concern,
• Fifty-two percent forecast that 2015 spending on cybersecurity would exceed 2014, while only two percent said it would be less.
• Forty-nine percent saw increased spending on cybersecurity capped at under ten percent, but a quarter saw increases in the eleven to twenty percent range and another quarter saw it as twenty-one percent or more.
Respondents were asked whether they agreed or disagreed with nine statements on cybersecurity risk management.
Strong consensus existed on identifying critical information assets and prioritizing those assets based on risk, with 8-in-10 and 7-in-10 respondents, respectively, agreeing they had done so. The lowest consensus was with the slightly less than 5 in 10 who continuously tested to improve incident response.
Of particular concern may be top or enterprise-level recognition of the strategic and business implications. Forty-eight percent disagreed that cybersecurity is managed like an enterprise risk; forty-four percent that their CEO and senior leadership team are actively engaged in cybersecurity strategic decision-making.
Respondents saw the cycle of technology upgrades to meet evolving threats (“the goal posts keep moving”) as one of the most daunting cybersecurity challenges. Also mentioned were increasing executive and employee awareness, recognition of a threat and buy-in, along with resource challenges – limited funding and availability of cybersecurity resources.
When asked, “What do you see as the most daunting aspect of effectively managing the cybersecurity challenge for your client company?” responses included:
• “Building and maintaining awareness and vigilance.”
• “Teaching people the risks and costs to implement better security, or conversely, to experience a ‘failure’ in cybersecurity.”
• “The volume of attacks and ever-changing technology for new ways to attack.”
• “Disruption to operational processes.”
• “Limited human resources and low spending allocation to address the issues.”
• “Security cooperation between clients and our company.”
• “Constant upgrading and change as more sophisticated intrusion is developed.”
The threat level is there. In the last three months, thirteen percent of respondent companies had suffered cyberattacks and ten percent a cybersecurity intrusion. Very few (less than one percent), however, reported an outright breach of sensitive information assets.
Tatum has made its second quarter 2015 Survey of Business Conditions report available for download.