A few years ago most firms would manage cybersecurity and make investment decisions based mainly on industry best practices, resulting in their adopting certain technologies, policies and practices, without a detailed understanding of their specific overall cyber risk situation. As a result, very few successfully developed and deployed a strategic, comprehensive and effective cyber risk management framework. Lacking a clear articulation of how cyber risks integrate into organizational risk, many firms experienced a persistent under-funding of information security budgets.
Over the past couple of years the landscape has changed dramatically. Cyber risk is now a board-level concern, and everyone is sensitive to cybersecurity. Has this heightened awareness changed how firms now prioritize their (still-limited) security budgets? Are return on-investment (ROI) models being used, which would indicate a greatly matured approach to cyber risk management? Are other frameworks being developed to address the growing perception that many of the most damaging cyber risks may not be accurately characterized by ROI models, which struggle to deal with broader concerns such as reputational damage? How are firms actually managing cyber risks and deciding how to make substantial investments? What are the key motivations driving cybersecurity investments: cost-reduction, regulatory compliance, risk reduction, process improvement, and/or something else?
This is a report on a set of semi-structured interviews with information security executives and managers at a variety of firms. Section 2 details the methodology, and the subsequent sections present the key findings. Section 3 describes how organizations are supported in terms of budget and by senior management, along with how that has changed. Section 4 examines how cybersecurity investment decisions are made, including how organizations prioritize, using metrics and especially frameworks. Section 5 examines the suitability of information decision makers have in managing risk and selecting vendors for security controls. Section 6 compares findings across different sectors, while Section 7 examines the unique circumstances facing government CISOs. Section 8 discusses three cases of “CISO Mavericks” whose approach differs significantly from the rest. Finally, we conclude in Section 9.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program