The year 2021 is drawing to a close, cyber crime remains one of the dominant topics for companies. In fact, according to our research, the number of cyberattacks continues to rise (31% in 2021 compared to 2020) and companies are more concerned about indirect attacks – successful intrusions into the organization via the supply chain – which increased from 44%. 61% rose. As a result, security investments continue to rise. More than 82% of our survey participants said that their IT security budgets had increased in the last year.
The picture is not entirely bleak. Our survey respondents are more optimistic about their cybersecurity programs than before, with 70% of respondents expressing confidence that their organization is actively protected by their cybersecurity program (up from 60% last year). However, executives in roles such as the CEO or CFO have less trust than their risk and security colleagues, which leads to internal friction in many companies instead of focusing on all sides on the threat at hand.
Our research identified four broad approaches to cyber resilience in all organizations: business blockers, which prioritize cyber security over business strategy alignment; Cyber Risk Takers who prioritize business growth and are willing to take on higher levels of cyber risk to make it happen; the weak, who have immature cybersecurity operations and a level of risk that is inconsistent with business strategy; and cyber champions who prioritize growth and speed to market, are willing to accept a higher level of risk, and have cybersecurity strategies that are fully aligned with that approach. While no strategy can completely eliminate all risks in this area, Cyber Champions succeed in at least three out of four performance criteria of cyber resilience – they are better able to stop attacks, find and fix security breaches faster, and reduce their impact.
It does matter where companies fall in these cyber quadrants – there’s money on the table. Business blockers will reduce their security breach costs by 48%, cyber risk takers by 65%, and the weak by 71% as they increase their performance to cyber champion levels. The key to success lies in finding a balance between excellent cyber resilience and focusing security efforts on the elements that are critical to achieving the overall business strategy. Having a common focus and set of priorities in embedding security into key business processes also helps align managers with the various functions.
There are several ways to achieve cybersecurity excellence. It can be helpful to give the Chief Information Security Officer (CISO) a seat at the table and give them a broader perspective that is good for the entire company.
The cloud can play an important role as well, but it still has a complex relationship with security. Many of our cyber resilience respondents have already moved significant parts of their operations to the cloud because they see the benefits of lower costs, more resilient operations and access to more advanced technology.
While most executives believe that cloud applications and operations are more secure than on-premise hosted ones, nearly a third (32%) of the executives we surveyed say security is not part of the cloud discussion from the start. For others, however, security problems stand in the way of introducing the cloud; About a third of all respondents say that poor governance and complex practices related to cloud security are an issue, that cloud security is too complex, and that they do not have the in-house skills necessary to build an appropriate cloud security solution. Security framework are required.