Home / / Security still not a C-suite competency, says Global Data

Security still not a C-suite competency, says Global Data

Security spending rises, but security still not getting C-level accountability

Security still not a C-suite competency, says Global Data
Organisations are neglecting to put in place CISOs that report to the CEO, or to take a proactive approach to security, says GlobalData.

Many companies are increasing their cybersecurity spending, without raising C-level accountability or switching to a more proactive footing, according to GlobalData.

The data and analytics company said that cybersecurity has become a business critical function, yet remains non-core competency for most C-suite executives.

GlobalData figures show that companies worldwide spent a combined $114bn on security products (both hardware and software) and services in 2017. By 2021, the figure is expected to have passed $140bn. Security services spending accounted for 68% of total spending.

While companies are aware of the need to adequately protect customer data and proprietary secrets, and of the risk to brand reputation of a data breach, the issue is still lacking in C-level reporting, the company said.

The company's latest thematic research report, ‘Cybersecurity' reveals that whilst cybersecurity has now become a critical business function, it remains a non-core competence for a significant number of boards. Chief information security officers (CISOs) have become increasingly common in recent years (recent research suggests that nearly two-thirds of large US companies now have a CISO position), but the majority do not report directly to the CEO, which reduces their effectiveness.

Cyrus Mewawalla, Head of Thematic Research at GlobalData commented: ‘‘The frequency of cyberattacks is only likely to accelerate over the coming years, therefore it is vital that senior executives have a full understanding of the inherent risks and implications. The losers will be those companies whose boards do not take cybersecurity seriously, as they run a higher risk of being hacked.''

It is hard to assess a company's exposure to cybersecurity risk, but the composition of the board often provides clues: CEOs who do not have a Chief information security officer (CISO) reporting directly to them present a high risk.

Mewawalla continued: ‘‘Traditionally, most companies have adopted a prevention-based approach to cybersecurity, but recent advances in technology areas like machine learning are enabling a move towards active detection of threats.''

This allows pre-emptive action to be taken to stop breaches before they occur and also serves to free up resources currently occupied with chasing false positives from existing, more reactive systems.

GlobalData identifies the key cybersecurity technologies as network security, unified threat management, artificial intelligence, behavioural analytics, SIEM, endpoint security, mobile security, identity management, data security, application security, email security, cloud security, managed security services, post breach consultancy services.

Looking at unified threat management (UTM), GlobalData believes that this should be an area for growth going forward. The process can tackle diverse threats and also address the issues faced by companies that find themselves with a myriad of security products from a wide variety of vendors, which can result in a security landscape that lacks coherence.

Mewawalla added: ‘‘There is an ongoing move away from a prevention-based approach to cyberattacks and towards active detection of threat actors using intelligence-led tools. Chief information security officers (CISOs) and security executives are increasing investment in detection and response based offerings such as deception technology, software-defined segmentation and behaviour analytics.''

This increased emphasis on detection and response can free up resources currently occupied with chasing false positives.


Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.