acm-header
Sign In

Communications of the ACM

Viewpoint

Cybersecurity: Is It Worse than We Think?


computers at edge of crator, illustration

Credit: Novikov Aleksey

Cybersecurity consistently receives significant attention, pressuring organizations to take precautionary steps to prevent incidents and data breaches. Numerous surveys are published each year by reputable organizations such as Deloitte, Verizon, The Ponemon Institute, and ISACA to get a better sense of what organizations are doing in response to these pressures. The general attitude is that threats evolve quickly and many organizations struggle to keep up.5 Much of the data available on this subject comes directly from cybersecurity professionals, which provides legitimacy to the findings. However, it also represents a somewhat biased sample in that responding organizations have already committed resources to tackling these complex issues. Further, there is limited analysis on how individual organizations are changing over time as such reports typically provide industry-level observations. We seek to complement the myriad security research notes by investigating specific cybersecurity practices within organizations to evaluate where organizations are showing improvement, where they are stagnant, and what may be influencing these changes. Our results confirm that cyber-security continues to receive attention on the surface, but when looking beyond surface-level impressions a surprising lack of progress is being made.

Back to Top

Peeling Back the Layers

Each year, the Society for Information Management (SIM) conducts the IT Trends Study—an extensive survey of CIOs and top IT executives to evaluate IT practices within organizations.1 Organizations come from 30 different industries and vary in size, with an average revenue of $4 billion and a median revenue of $400 million. A hallmark of the study is the annual ranking of "organizations' Top IT management Issues" where respondents are asked to select up to five IT-related issues from a list of 41 that are the "greatest concerns to their organization." Cybersecurity has been in the top 10 for a decade as was the top concern for the last three years, signaling that organizations are more worried about cybersecurity than any other IT concern. However, the percentage of organizations selecting cybersecurity was only 41.9% in 2017, 38.3% in 2018, and 35.9% in 2019, suggesting a reality where a relatively small percentage of organizations treat it as a top concern.

One possible explanation of this decline is that significant cybersecurity improvements have already been made, shifting organizational priorities elsewhere. To better evaluate whether this is the case, we ask respondents whether their organization:

  • Has a CISO or equivalent?
  • Requires cybersecurity training for employees?
  • Considers cybersecurity during software development, change management, IT procurement, and/or overall business strategy?
  • Measures and evaluates cybersecurity performance?
  • Has cyber insurance coverage?

While these questions do not provide absolute assurance that an organization is adequately prepared to address all cybersecurity threats, they do provide the opportunity to see how organizations are changing over time (since many respondents participate in multiple years). Additionally, negative responses signal that an organization is clearly not adopting common cybersecurity best practices. In comparing 2016 to 2019, it is clear there is improvement in some areas yet growth is stagnant in others (see the table here).

ut1.jpg
Table. Change in readiness across classes.

The most dramatic change comes in the form of cyber-insurance. Fewer than half of organizations had such coverage in 2016 but nearly two-thirds were covered in 2019. By transferring risk to a third party, an organization may focus on other top priorities. However, cyber-insurance is by no means a panacea as it will typically not provide financial compensation for lost sales, reputational damage, or costs associated with fortifying systems.2 For example, Target estimated the financial impact of their breach in 2013 was $291 million but only $90 million was offset through insurance coverage.6 While the significant increase in companies adopting cyber-insurance plans is admirable, in the absence of other significant security improvements, it may provide limited risk reduction for organizations.

Cybersecurity's involvement in the IT Procurement process has also seen a notable improvement since 2016. Given the rise in cloud utilization1 and the interconnectedness of vendor/supplier systems, risk exposure continues to expand outward from the organization. Further, 59% of breaches in 2018 involved third-party systems or failures.3 As such, it appears as though organizations are placing more emphasis on ensuring adequate security provisions are included when purchasing IT components or engaging third parties.


Cyber-insurance is by no means a panacea as it will typically not provide financial compensation for lost sales, reputational damage, or costs associated with fortifying systems.


Despite the improvements noted over the past four years, there is still room for growth. The figures noted in the last row in the table represent a sum of overall readiness that is determined by awarding one point for an affirmative answer to each of the five questions included in the survey (organizations received 0.25 points for each business process security was integrated with). While gradual improvement has been observed over the last four years, the average organization still only implemented 3 out of 5 standard best practices in place in 2019.

While our sample is skewed toward small to medium-sized organizations, large companies are also experiencing issues. Of organizations with revenues greater than $1 billion in 2019 (30% of our sample), only 75.2% had a CISO or equivalent position and the average readiness score was a 3.51. For organizations over $5 billion in revenue (13% of our sample), 81.4% had a CISO and the average readiness score was 3.57. While large companies are in a slightly better position, there is still room for improvement.

So, is cybersecurity worse than we think? We think the answer is yes—after peeling back the layers to identify specific practices within organizations, there is much to be desired. With approximately 50% of organizations appointing a leader of cybersecurity efforts and involving security in the planning of overall business strategy, many organizations, even the ones with respectable readiness scores, are tackling cybersecurity as more of an IT process rather than an enterprisewide issue. Of course, simply appointing a leader or providing a seat at the table for strategy planning meetings is not effective unless the organization truly buys into the importance of cybersecurity.

Back to Top

Prioritizing Cybersecurity

To better understand the impact of setting the tone at the top with a focus on cybersecurity, we were curious as to whether organizational prioritization has any effect on cybersecurity practices. We compared cybersecurity readiness scores and organizational prioritization across a two-year period for those organizations that provided responses in two consecutive years. Each organization was classified into one of four classes:a

  • "Leaders": an organizational priority in both years (28.0% of organizations)
  • "Laggards": not an organizational priority in either year (37.9%)
  • "Upgraders": an organizational priority in year two but not in year one (17.6%)
  • "Downgraders": an organizational priority in year one but not in year two (16.4%)

The readiness scores (see the figure here) reveal two statistically significant insights.b First, organizations that prioritize cybersecurity have higher readiness scores. Leaders rise above the rest, with downgraders close behind. Second, improvements to cybersecurity readiness are different across these classes. When comparing the classes, we see the worst-performing class, in terms of improvement, is the "down-grader" (+0.07) whereas "upgraders" resulted in the largest one-year improvement (+0.53). This suggests that organizations that turn their attention away from cybersecurity see virtually no improvement whereas those that make a conscious decision to begin treating it as a priority observe much greater improvements.

uf1.jpg
Figure. Cybersecurity Practices: 2016 vs. 2019.

These results offer only a two-year snapshot and it is common knowledge that improvements to cybersecurity defenses take time. For the 139 organizations we have 36 months of data for, the improvements from year one to year two were almost identical to the year two to year three improvements across all four classes. Thus, the pace by which improvements are observed is steady across multiple years.

Back to Top

What Does It All Mean?

Given our analysis, we believe there is a harsh reality lurking beneath the surface within many organizations. While they may be saying the right things in public to satisfy investors, underwriters, and customers, there is an apparent lack of urgency in promoting a truly resilient and secure organization. Our research did not have to dig very deep to find surprising gaps in organizational security practices. Further, the security practices most commonly missing from organizations tend to be those that provide visibility, leadership, and integration with the business.

Our data also suggests when organizations say cybersecurity is one of their top concerns, they tend to do more about it. However, they still appear to be reluctant to hire a CISO or provide cybersecurity a seat at business strategy meetings. Our data suggests large companies are doing better in this regard, but even they still struggle to implement all of these foundational security practices.

Why is this the case? Although we cannot objectively answer this question, we can offer several possible conjectures. First, cybersecurity budgets are notoriously difficult to justify given there is no true ROI.4 Hiring a CISO is a large investment whereas developing a short training video or document and distributing it to all employees requires minimal financial resources. Second, it is possible that risk tolerances of CEOs may be rising. Given changes to compensation structures for top executives and pressures from investors to deliver short-term gains, there is little incentive to divert resources away from ventures that deliver near-term returns. As such, CEOs may be wary of inviting security personnel into strategic planning discussions for fear of security requirements inhibiting productivity and innovation. Finally, it is possible that a defeatist mentality is setting in across organizations. Everyone has heard the phrase "it's not a matter of if, but when" in terms of cybersecurity incidents so perhaps organizations are simply doing the bare minimum and are prepared to face the consequences when the inevitable occurs.

Cybersecurity threats are not going anywhere and even well-prepared organizations will continue to experience breaches. This does not mean we should give up, however. Organizations of all shapes and sizes have plenty of room for improvement once you look beneath the surface.

Back to Top

References

1. Kappelman, L. et al. The 2018 SIM IT issues and trends study. MIS Quarterly Executive. (2019).

2. Mak, A. AdvisorSmith 18, 7 (2019); https://bit.ly/3a2IlDq

3. Ponemon Institute. (Nov. 2018); https://bit.ly/2W4f8zI

4. Schneier, B. CSO 9, 2 (Nov. 2008); https://bit.ly/3qMpMta

5. Staff, C. Cybersecurity. Commun. ACM 60, 4 (Apr. 2017).

6. Target. SEC Edgar 5, 25 (2016); https://bit.ly/37SIN4t

Back to Top

Authors

Chris Maurer (maurer@virginia.edu) is an assistant professor in the McIntire School of Commerce at the University of Virginia in Charlottesville, VA, USA.

Kevin Kim (kevin.kim@unt.edu) is a Ph.D. student in the G. Brint Ryan College of Business at the University of North Texas in Denton, TX, USA.

Dan Kim (Dan.Kim@unt.edu) is a professor in the G. Brint Ryan College of Business at the University of North Texas in Denton, TX, USA.

Leon Kappelman (kapp@unt.edu) is a professor in the G. Brint Ryan College of Business at the University of North Texas in Denton, TX, USA.

Back to Top

Footnotes

a. 414 unique organizations participated in the survey in at least two consecutive years between 2016 and 2019, 139 organizations provided at least three consecutive years of data, and 43 organizations provided four years of data.

b. A mixed model controlling for organization and sector was evaluated. The difference in readiness based only on organizational concern (0 or 1) was statistically significant at the 0.01 level. Differences in readiness between prioritization classes was significant at the 0.05 level.


Copyright held by authors.
Request permission to (re)publish from the owner/author

The Digital Library is published by the Association for Computing Machinery. Copyright © 2021 ACM, Inc.


 

No entries found