Data breaches and budgets rise
While the number of respondents who have detected a security incident in the past 12 months has stalled at 79 percent, the average number of incidents detected per firm has increased 21 percent over the year before. The industries that suffered the largest jump in incidents this year include retail and consumer, education, government, and information and telecommunications.
Fortunately, all of the attention now being paid toward cybersecurity incidents is pushing security budgets up. In this year's survey, 45 percent of respondents reported that they have increased their budget this year over last.
The challenge going forward for those firms, says Ben Rothke, senior eGRC consultant The Nettitude Group, is keeping that budget once security teams get the increase they need, and then building long-term sustainable results. "Security is a journey, not a destination. If you show you can be effective and also run security like a business, you should impress management and be able to get the budget you need," he says.
Johnson would likely agree, and also stresses that the CISO needs to be a leader who can align the technical aspects of information security with governance and business risk management metrics that executives and the board need to understand. For those who are not this mature, it's not going to improve overnight. "You can't boil the ocean and you can't ever reach 100 percent security. The threats change and all you can do is try to develop an aligned plan and work on the highest priorities first. [By capturing] metrics and revisiting this plan as the business environment, regulations and threats change, you will hopefully keep your program on track and show that you are being effective," says Johnson.
Sign up for Computerworld eNewsletters.