Studies show that a vast majority of chief executive officers and IT security teams struggle with the effectiveness of their organizations against cyber security threats. In addition, independent research has found that chief information security officers lack confidence in their executives’ ability to prevent attacks on their hardware, systems, and networks.
A global survey of 500 cybersecurity leaders worldwide titled EY 2023 Global Cybersecurity Leadership Insights Study showed that one in five CEOs considers their organization’s approach adequate for current and future threats. Half of the respondents also appear skeptical about the effectiveness of the training their organizations provide, and just 36 percent are satisfied with the adoption of best practices by teams outside the IT department.
Richard Watson, EY Global and Asia-Pacific Cybersecurity Consulting Leader commented, “After all the time and money spent on cybersecurity, CISOs still feel very unprepared against cyber threats. The levels of dissatisfaction are more worrying when seen in the context of increasing geopolitical instability, economic uncertainty, and the rapid adoption of emerging technologies that will push the number of incidents to even higher levels and see cyber adversaries continually evolve.”
At the same time, cyber leader respondents reported mounting costs associated with cybersecurity investment and an average of 44 cyber incidents per organization in 2022. Chief information security officer respondents reported an average annual spend of $35m on cybersecurity. In comparison, the median cost of a breach to their organization has increased by 12 percent to $2.5m in 2023 and is anticipated to reach $4m.
Despite high levels of spending, detection and response times could be faster. More than three-quarters of respondents (76 percent) said their organizations take an average of six months or longer to detect and respond to an incident.
An independent study commissioned by Accenture titled “The Cyber-Resilient CEO said that 75 percent of CEOs are concerned about their organizations’ ability to avert or minimize damage to the business from a cyberattack — even though 96 percent of CEOs said that cybersecurity is critical to organizational growth and stability.
Accenture’s research points to the reactive way CEOs treat cybersecurity, which results in a greater risk of attacks and higher costs to respond to and remediate them. It notes that 60 percent of CEOs said their organizations don’t incorporate cybersecurity into business strategies, services, or products from the outset, and more than four in 10 (44 percent) of the CEOs believe cybersecurity requires episodic intervention rather than ongoing attention.
Adding to this reactive stance is the incorrect assumption by more than half (54 percent) of CEOs that the cost of implementing cybersecurity is higher than that of suffering a cyberattack despite history showing otherwise. For instance, the report notes that a global shipping and logistics company breach resulted in a 20 percent drop in business volume, with losses hitting $300 million.
In addition, despite 90 percent of CEOs saying cybersecurity is a differentiating factor for their products or services to help them build customer trust, only 15 percent have dedicated board meetings for discussing cybersecurity issues. This disconnect might be explained by the fact that the vast majority (91 percent) of CEOs said cybersecurity is a technical function that is the responsibility of the CIO or chief information security officer.
Meanwhile, research sponsored by BlackCloak, a provider of digital privacy protection for high-profile executives, showed that IT security teams lack confidence in their executives’ ability to prevent attacks on their hardware, systems, and networks.
Asked to rate from ibe to 10 how confident they were in CEOs and executives’ abilities to recognize a phishing email, only 28 percent of respondents were satisfied. A similar percentage (26 percent) applies to security teams’ trust in high-level executives to securely set up their home network and protect their computers from viruses.