Via CSO Online.
The past year has been tough for enterprise security teams. Attacks like Petya and NotPetya suggest that the impact scale is increasing dramatically. The recent leak of government-developed malware and hoarded vulnerabilities has given cybercriminals greater capabilities. IT is struggling to keep pace with the flow of important security software patches and updates, and the continued adoption of new technologies like the internet of things (IoT) creates new vulnerabilities to contend with.
All this has driven many companies to do some soul searching about how they address cybercrime threats, according to a new survey from CSO. Its results provide insight into not only the nature and scope of the threats that U.S. businesses face, but exactly how those businesses are responding.
The 2017 U.S. State of Cybercrime survey is conducted annually by CSO in partnership with the US Secret Service and CERT at the Software Engineering Institute at Carnegie Mellon University. This year’s survey is sponsored by Forcepoint. Of the 510 respondents, 70 percent were at the vice president level or higher across all industries and the public sector, including the 35 percent in corporate management. The average IT security budget of the companies represented is $11 million.
Getting more serious about security
Security is getting more mindshare at the corporate level and more resources, even if in some cases the gains are incremental. Twenty percent of CSOs/CISOs now report to the board of directors on a monthly basis, up from 17 percent last year. Yet 61 percent of the boards still see security as an IT issue rather than a corporate governance issue. That number is barely down from last year’s 63 percent.
Companies are spending more on IT security, with an average budget increase of 7.5 percent. Ten percent of respondents reported an increase of more than 20 percent. The bulk of that money is being spent on new technologies (40 percent), but companies are paying for knowledge, too, in the form of audits and assessments (34 percent), adding new skills (33 percent), and knowledge sharing (15 percent). Respondents said they were investing in redesigning their cybersecurity strategy (25 percent) and processes (17 percent) as well.
Speaking of cybersecurity strategy, an amazing 35 percent of respondents said that a cyber response plan was not part of it. The good news is that 19 percent planned to implement a plan within the next year.
The greater emphasis on and investment in addressing threats has given companies more confidence in their security capabilities, even as they adopt new technologies such as mobile, cloud and IoT. Seventy-six percent believe they have the expertise to address those threats. This is despite a jump from 64 percent to 74 percent of those who say they are more concerned about security than they were a year ago.