More than 80 percent of CEOs are very confident in their firm's cybersecurity strategies, despite the fact that security incidents have increased 66 percent year-over-year since 2009 according to PricewaterhouseCoopers' 2017 Global State of Information Security Survey.
"CEOs are underestimating their companies' cybervulnerabilities," said Ray Rothrock, chairman and CEO of RedSeal. "Their confidence does not square with what we observe. Cyber-attacks are up and financial losses associated with these attacks are increasing dramatically." Specifically, PricewaterhouseCoopers' 2015 Global State of Information Security Survey projected that financial losses from cyberattacks will jump from $500 billion in 2014 to more than $2 trillion in 2018.
While CEOs remain confident that their cyberstrategies are well equipped to handle the risks facing their company networks, there is a disconnect between their perception and reality. In Oct. 2014, FBI director James B. Comey said that no company is immune from attack. "There are two kinds of big companies in the United States," he told 60 Minutes. "There are those who've been hacked...and those who don't know they've been hacked."
Yet two years later, the RedSeal study found that half of the CEOs still prioritize keeping hackers out of the network, versus just 24 percent who were concerned with building capabilities to deal with hackers who have successfully breached their network's perimeter defenses.
"The new cyberbattleground is inside the network, not at the perimeter," said Rothrock. "Firewalls, virus detectors, and malware scans are required to keep out 99 percent of the bad guys, but the one percent who get in can cripple a firm, critical infrastructure or a government agency."
The study found that, while 87 percent of CEOs agree that they need a better way to measure the effectiveness of their cybersecurity investments, 84 percent still plan to increase their spending in the next year. A trend reiterated by IDC's October 2016 prediction that organizations will spend $101.6 billion on cybersecurity software, services, and hardware in 2020, a 38 percent increase from its 2016 spend projections.
"We've reached an inflection point where cybersecurity strategies and investments have underperformed for an extended period of time. Analysts estimate that cyberlosses are now growing more than twice as fast as the spend on security," continued Rothrock. "To stem this tide, CEOs and boards need more effective metrics to understand the real-time health and function of their network, and to more clearly manage and measure their cyberstrategies and investments."
Even though security budgets are at an unprecedented high, nearly three out of four CEOs report the metrics they receive lack meaning or context. Most (79 percent) agree their reports are too difficult to understand, and 87 percent need a better way to measure whether cybersecurity investments are effective. In addition, they cite a lack of timeliness (51 percent) as well as only receiving reports in times of crisis (50 percent) as significant challenges.
Nearly 90 percent of CEOs say they want information—on a daily basis—about their cybersecurity posture and network's overall health, external threat level, and the resilience of the network.
And while 79 percent of CEOs surveyed strongly agree that cybersecurity is a strategic function that starts with executive leadership versus being a responsibility passed on to the IT team, 89 percent of these same CEOs report reliance on their IT team to make the budget decisions on cybersecurity.