An overwhelming number of CIOs are expecting an increase in their budgets specific to security to tackle the growing cyber threat, according the 2018 CIO 100, with more than half having reported they had detected a security breach in the previous 12 months.
The annual survey also hinted at the emergence of the CISO role as a peer to the CIO at large organisations, although the study found that security leaders largely sit in the CIO function. [Also read: Chief Information Security Officer salary, job description and reporting line]
Some 56% of organisations in the 2018 edition of the CIO 100 responded they had detected a cyber breach in the last year, up a single percentage point from 55% in 2017 but the same figure as the 2016 research. A massive 81% expected to have an increased security spend, one percentage point lower than the 82% of 2017.
Of the 19 who responded they did not expect to have more IT budget to spend on security, 11 were public sector, charities or non-profit organisations.
Radius Payment Solutions CIO Dave Roberts said that cyber security had become a board room issue, but that focusing on culture would be as important as throwing more money at the problem.
"Cyber security is now a board level agenda item with a spotlight on managing IT security, risk and compliance accordingly," he said. "In March 2018, following a two-year period of intensive work, Radius Payment Solutions successfully achieved the ISO 27001 Information Security Management Systems Certification.
"To reach this level of compliance it was important not just to have good IT controls and systems but also instill the right culture and adoption of security by design and best practice across the organisation.
"Working with third party security vendors has helped to provide external insight and guidance on how to optimise organisational cyber security and reduce the exposure to known vulnerabilities. The IT security landscape is ever-changing and therefore needs ongoing attention to stay ahead of the emerging attack vectors."
CISO role and reporting line
Responding to a question about the role of Chief Information Security Officers - or equivalents - at their organisations, the 2018 CIO 100 revealed 56% of organisations had a security leader reporting into the CIO function. This was down from 70% in 2017, while the number of CISOs who are a peer to the CIO increased more than three-fold from 5% in 2017 to 16% this year.
Some 8% of respondents said that the position of IT security chief was overseen by another role in the CIO's department, while at 2% of organisations the role reported into legal and finance, and another 2% employed a 'Virtual CISO' or 'CISO-as-a-Service'.
One CIO noted security was the responsibility of the whole organisation, some 6% named themselves as CIO as also being the organisation's CISO, and there were a number of 'other' answers.
Following the 2017 CIO 100, security strategists from Trend Micro said that it was "unfortunate" that the CISO role did not have a direct reporting line to the CEO, while CIO of the Barclays Group Security Function, Elena Kvochko, said that this was a mere sideshow when organisations should be focusing less on the silos and politics and more on delivering 'security' as an integrated service.
In April 2018 Accenture reported in its State of Cyber Resilience Index that 90% of organisations anticipated cyber security budget increases compared to 65% in 2017. The company also said that 66% of CISOs reported to the CEO or board in its survey of 4,600 executives from companies with annual revenues of more than $1 billion across 15 countries.
Basic security steps
Last month a study by the Department for Digital, Culture, Media and Sport found that 43% of UK businesses and 19% of charities had suffered a cyber breach or attack in the past year.
CEO of the National Cyber Security Centre, Ciaran Martin, said: "Cyber attacks can inflict serious commercial damage and reputational harm, but most campaigns are not highly sophisticated.
"Companies can significantly reduce their chances of falling victim by following simple cyber security steps to remove basic weaknesses. Our advice has been set out in an easy-to-understand manner in the NCSC's small charities and business guides."