A recent research report from Moody’s Investors Service observes that organizations tend to increase their investments in cybersecurity across the board, but the additional spending doesn’t necessarily lead to better results or deeper defensive perimeters.
Organizations are almost universally building in basic cybersecurity defenses and more than half now carry cyber insurance, but spending on “advanced” and “robust” defensive solutions continues to slow. 93% of organizations now have a dedicated cybersecurity officer, but the frequency and depth of their interaction varies widely from company to company.
Rising investment in “basic” cybersecurity, companies are still hesitant to invest in “robust” systems
Cybersecurity governance appears to be on the rise along with overall spending, with the majority of organizations now having security management and a direct interface between executives and IT defenses and remediation plans. However, there are some shortcomings in this arrangement. Communication is better in some organizations than others, and in many cases stakeholders are cut off, with cyber episodes being reported to boards twice as often as to the public.
Data shows that the tighter the reporting structure between cyber managers and executives, the more cybersecurity investments tend to occur. Investment in advanced defenses is also correlated with the presence of relevant cyber expertise on the board. And the presence of defined cyber goals in a CEO’s compensation package correlates with strengthened reporting structures. But despite these relationships, the actual role and importance of a cyber manager varies widely from company to company.
93% of all organizations have a cyber manager, and in some specific industries (such as financial services) that number rises to 98%, but only 50-70% of them (depending on the industry) report directly to C -after. Even fewer (33% to 59%) report directly to CEOs. The survey shows that most organizations have cyber managers who report more to CIOs or CTOs, which would seem a natural arrangement; however, he notes that this may also create certain conflicts of interest. CIOs and CTOs are beholden to budget concerns as much as security in many organizations, and situations where a more generalist CSO is in charge of all security can mean there is less technical expertise. at the executive end of this equation.
How many boards have at least one director with some level of cybersecurity expertise? This is another area that could be improved when it comes to cybersecurity investment knowledge. Less than 50% of organizations have a director with this experience on the board, although the figure exceeds 50% in the financial services industry. The median cyber experience on the board in the infrastructure and public categories is 0%. Among companies that have this expertise on their board, just under half the time it comes from hands-on experience.
Public disclosure suffers from a lack of transparency
The report notes that public disclosure of cyber incidents is not a transparent process and is another area where organizations vary widely in their reporting procedures. There are no universal standards and most industries (except public organizations) are reluctant to voluntarily report the public: only 33% of financial services companies have done so in the last two years, and only 9% of infrastructure companies. At the other end, industries vary with 30% to 50% reporting an incident to the board during this time.
The report finds that this is generally due to regulation setting the internal tone, as categories of companies that have special reporting rules show higher rates of public disclosure.
Investments in cybersecurity tend towards basic measures
86% of respondents said they had at least one full-time cybersecurity specialist on their team since 2019, with an additional 4% planning to add one by the end of 2022. Team size has increased also increased steadily since 2018. Overall investment in cybersecurity jumped 15% in 2019 and another 17% in 2020. And while there is still substantial room for growth (particularly in the public sector), the number of organizations citing cybersecurity as a separate line item also increased during this period.
Although there is clearly an increase in investments in cybersecurity across the board, they are directed towards basic defensive measures: vulnerability scans, development of incident response plans, implementation of multi-factor authentication at organization-wide, weekly backup systems and regular cyber risk assessments. None of these things are bad, but most industries tend to ignore advanced methods, with some quirks. The public sector lags behind all other organizations in nearly every method studied, and very few (only about 10%) use penetration testing. The financial services industry is by far the best at adopting advanced defenses.
Part of the increase in cybersecurity investment is also for standalone cyberinsurance; 65% of public sector organizations have specialized cyber coverage, as do 57% of financial services companies. No industry is below 46% in this category.