Report: 86% of CISOs say cybersecurity breaches are inevitable – „more and more C-Level executives are now treating IT security as an investment”

IT security leaders in businesses across the globe are stuck with their hands behind their backs when it comes to fighting off cybercrime. They lack influence in the boardroom and find it hard to justify the budgets they need; inevitably making their businesses more vulnerable. The phenomenon is one of the findings of a new report from Kaspersky Lab, which has found that 86% of CISOs now believe cybersecurity breaches to be inevitable, with financially motivated groups being their primary concern.

From cloud to malicious insiders: the attack surface is widening in modern business

The rise of cyberthreats, combined with the digital transformation that many enterprises are currently undergoing, is making the role of the CISO increasingly important in modern business. The Kaspersky Lab report shows that there is now more pressure on CISOs than ever: 57% consider complex infrastructures involving cloud and mobility to be a top challenge, and 50% are worried about the continuing increase in cyberattacks.

CISOs believe that financially motivated criminal gangs (40%) and malicious insider attacks (29%) are the biggest risks to their businesses, and these are the threats that are extremely difficult to prevent: either because they are launched by ‘professional’ cybercriminals or because they are assisted by employees who are expected to be on the right side.

Budget justification challenges are leaving CISOs to compete against other departments

The budgets allocated to cybersecurity are reported to be growing. Slightly over half (56%) of CISOs are expecting their budgets to increase in the future, and 38% of respondents expect budgets to remain the same.

Nonetheless, CISOs are up against major budgetary challenges, because it’s almost impossible for them to offer clear return on investment (ROI), or 100% protection from cyberattacks.

For example, more than a third (36%) of CISOs say they cannot secure their required IT security budgets because they cannot guarantee there will not be a breach. And, when security budgets are viewed by a business as part of overall IT spend, CISOs find themselves vying for budget against other departments. The second most likely reason for not getting budget, is that security is sometimes part of overall IT spend. In addition, a third of CISOs (33%) said the budget they could be allocated is prioritized for digital, cloud or other IT projects instead – which may be able to demonstrate a clearer ROI.

CISOs need a board-level audience as digital transformation takes hold

Cyberattacks can have drastic consequences for businesses: more than a quarter of respondents to the Kaspersky Lab study identified reputational (28%) and financial (25%) damage as the most critical consequences of a cyberattack.

However, despite the negative impact of a cyberattack, only 26% of the IT security leaders surveyed are members of the board at their respective businesses. Of those who aren’t a board member, one-in-four (25%) believe that they should be.

The majority of IT security leaders (58%) believe that that they are adequately involved in business decision making at the moment. However, as digital transformation becomes key to the strategic direction of large enterprises, cybersecurity should too. The role of the CISO needs to develop to reflect these changes, giving them the ability to influence decisions.

Maxim Frolov, VP Global Sales, at Kaspersky Lab, said: “Historically, cybersecurity budgets were perceived as a low priority IT spend, but this is no longer the case. The attack surface of modern businesses is growing, and so too is the frequency and impact of cyberthreats and the cost of cyber incidents. The result is that more and more C-Level executives are now treating IT security as an investment.

Today, cybersecurity risks are top of the agenda for CEOs, CFOs and Risk Officers. In fact, a cybersecurity budget is not just a way to prevent breaches and the disastrous risks associated with them – it’s a way to protect business continuity, as well as a company’s core profile investments.”

To find out more information and read the full report What It Takes to Be a CISO: Success and Leadership in Corporate IT Security, head to the link.