Cyber Security
Identifying How Firms Manage Cybersecurity Investment
s ago most rms would manage cybersecurity and make investment decisions based
mainly on industry best practices, resulting in their adopting certain technologies, policies
and practices, without a detailed understanding of their specic overall cyber risk situation.
As a result, very few successfully developed and deployed a strategic, comprehensive and
eective cyber risk management framework. Lacking a clear articulation of how cyber risks
integrate into organizational risk, many rms experienced a persistent under-funding of
information security budgets.
Over the past couple of years the landscape has changed dramatically. Cyber risk is
now a board-level concern, and everyone is sensitive to cybersecurity. Has this heightened
awareness changed how rms now prioritize their (still-limited) security budgets? Are return-
on-investment (ROI) models being used, which would indicate a greatly matured approach
to cyber risk management? Are other frameworks being developed to address the growing
perception that many of the most damaging cyber risks may not be accurately characterized
by ROI models, which struggle to deal with broader concerns such as reputational damage?
How are rms actually managing cyber risks and deciding how to make substantial invest-
ments? What are the key motivations driving cybersecurity investments: cost-reduction,
regulatory compliance, risk reduction, process improvement, and/or something else?
ort on a set of semi-structured interviews with information security executives
and managers at a variety of rms. Section 2 details the methodology, and the subsequent
sections present the key ndings. Section 3 describes how organizations are supported in
terms of budget and by senior management, along with how that has changed. Section 4
examines how cybersecurity investment decisions are made, including how organizations
prioritize, using metrics and especially frameworks. Section 5 examines the suitability of
information decision makers have in managing risk and selecting vendors for security controls.
Section 6 compares findings across different sectors, while Section 7 examines the unique
circumstances facing government CISOs. Section 8 discusses three cases of \CISO Mavericks"
whose approach differs significantly from the rest.
No copy data
No other version available