An urgent business priority
The cyber security industry has reached a critical point. The increasing sophistication of cyber criminals, coupled with the rapid shift to digital technologies brought about by the coronavirus (COVID-19) pandemic has emphasised cyber security’s importance for both individual organisations and wider society.
To find out what’s next for cyber security, we surveyed more than 3,000 business and technology executives around the world, including 265 in the UK. Our research highlights key challenges to be overcome and reveals how organisations will seek to improve their cyber resilience in 2021.
COVID-19 has forced organisations to rapidly shift to new digital ways of working, with many now using it as a catalyst for permanent changes. Our research showed that a third of UK organisations (34%) plan to accelerate their digitalisation plans due to COVID-19, while the same proportion will have more of their employees working remotely permanently.
The shift to greater digitalisation has had a knock-on effect on cyber security strategy. Nearly all respondents (96%) have shifted their cyber security strategy due to COVID-19, with 50% of UK organisations agreeing that cyber security will now be baked into every business decision. This shows that security is too important to be seen as an afterthought.
At a global level, our research showed the strategic focus on cyber security will lead to a more prominent role for the CISO. Two-fifths (43%) of global respondents agreed there will be more frequent interactions between the CISO and CEO or board, but this falls to 34% in the UK. This suggests more needs to be done to elevate cyber security conversations to UK boardrooms, perhaps by better aligning cyber risk to business strategy.
As cyber security becomes a strategic priority, the CISO role needs to evolve to match its influence within an organisation. In our research, more than a quarter (27%) of UK organisations said the CISO's primary role should be as a transformational leader. This compares to 20% among global respondents.
The transformational CISO needs the ability to lead cross-functional teams to create agile, forward-thinking security operations that can support an organisation's strategic transformation goals. In contrast, just 15% of UK respondents said the CISO should primarily be an operational leader and master tactician compared to 20% globally.
Our research found that a majority of organisations lack confidence in their cyber spend. Just 38% of UK organisations are very confident their cyber budget is allocated to the most significant cyber risks, compared to 44% globally. Similarly, only 36% are very confident they are getting the best return on their cyber spend versus 42% globally.
Despite this lack of confidence, 56% of respondents are planning to increase their cyber budgets in 2021. Perhaps in an effort to get a better return on investment, 41% of UK organisations will develop a new process for their cyber security spend next year, while two-thirds (67%) agreed that automation was the primary way to contain costs without compromising security.
To improve their return on cyber spend, organisations should better align their budget to the most serious risks and threats. Our research shows this is already on the agenda for a majority of businesses – 71% of UK respondents agreed that by quantifying cyber risks, their organisation can improve their ability to manage overall risks against spending.
Furthermore, 39% felt that better and more granular quantification of cyber risk was a likely outcome of the pandemic. In fact, just 5% of organisations said they had no plans to improve their quantification of cyber risk in the next two years, while 18% are already realising the benefits of it.
By better quantifying cyber risk, organisations can prioritise cyber spend by comparing the cost and value of different investments. Quantification also makes it easier to measure cyber security investments against business objectives. This will bring confidence that cyber security budgets are delivering a good return and helping mitigate the most serious risks.
“It's surprising that so many organisations lack confidence in their cyber security spend. It shows businesses need to improve their understanding of cyber threats and the vulnerabilities they exploit, and then map their security capabilities against those threats. We must also change the way organisations think about cyber risk so it becomes an intrinsic part of every business decision.”
No organisation can be totally protected from cyber attacks. It's therefore vital to gain an improved understanding of the threat landscape, so you can build effective cyber security alongside a robust incident response plan.
We asked respondents what they saw as being the most likely cyber events to impact their industry over the next 12 months. In the UK, 58% of organisations cited an attack on cloud services, followed by a disruptionware attack on critical business services (52%) and a ransomware attack (50%).
UK respondents were less likely to think a ransomware attack would occur compared to the global average (57%). This is despite a series of high profile ransomware attacks in 2020, with our own threat intelligence data showing the threat is increasing as cyber criminals become more sophisticated.
Our research asked whether organisations would be expanding their cyber security teams in 2020 and which skills were most in demand. In the UK, 42% of organisations plan to increase their headcount compared to 51% globally. However, more than a fifth (22%) of UK organisations are planning to decrease the size of their cyber security team compared to 16% globally.
New hires are expected to possess more than just technical knowledge. While security intelligence (46%) and the ability to work with cloud solutions (40%) are cited as the most important skills for new employees, this was closely followed by communication (38%), project management (38%) and analytical skills (37%).
This reflects the evolution of the industry, with cyber teams now required to work collaboratively with the rest of the business to develop a strategic, analytical approach to cyber security.
“As cyber security becomes a strategic priority, organisations should be hiring talent from more diverse backgrounds. Security teams need a mix of soft and technical skills coupled with business knowledge – this helps improve collaboration with senior leaders and ensures that cyber security decisions support the organisation's strategic goals.”