Most importantly, Danahy says that a lack of confidence from IT or employees aren't valid excuses for why businesses aren't living up to cybersecurity expectations. "Every business leader should know whether they are secure enough or not. They should ask themselves that question, and then force themselves to support the reasons for their response."
Difficulty proving security ROI
Another reason IT pros are abandoning effective security practices is that it's difficult to calculate the ROI of security. The study found that 54 percent of respondents have low confidence in their company's ability to demonstrate the ROI of security. For business leaders, the biggest motivation for implementing new process, procedures, or expanding budgets boils down to how much money they can make on the initiative.
But IT pros are finding it hard to concretely define the ROI around security, whether it's purchasing new software, hardware or implementing company-wide security measures. Still, 52 percent of IT executives say they "would still jump at the chance to purchase new, improved security software, and one in four say there is no limit to what they would pay for something more effective and reliable."
Another cybersecurity study from the ISACA/RSA found that, while 82 percent of board members are concerned about cybersecurity, the reality is that only one in seven CIOs report directly to the CEO and most are completely left off the board. And that's in an environment where 74 percent of security pros believe a cyberattack will occur in 2016, with 30 percent reporting daily phishing attempts, according to the study.
Businesses might need to move beyond an ROI-based attitude -- at least around cybersecurity -- says Eddie Schwartz, ISACA board member, chair of ISACA's Cybersecurity Task Force and president and COO of WhiteOps. "It's ridiculous to talk about ROI or the lack of ROI relative to cybersecurity at this point. It's clear from all of the breaches over the last several years that cybersecurity should be a key investment area for CIOs. If CIOs can't explain the value of security investments as easily as they explain the value of other features of their IT investment programs, they should not be CIOs."
Are IT pros are giving up?
The survey asked how many breaches respondents experienced in the last year, and one third of respondents said they weren't sure. But for those who were aware, companies with less than 1,000 employees averaged two breaches, while companies with over 10,000 employees reported an average of 2.7 breaches for the year. The study from ISACA/RSA found similar stats for 2015, with 24 percent stating they "didn't know" if user credentials were hacked or stolen or if hackers exploited their organization. Twenty-three percent couldn't say if they had experienced an "advanced persistent threat attack," while 20 percent didn't know if corporate assets were "hijacked for botnet use."
Sign up for Computerworld eNewsletters.