Venture capital firm Scale Venture Partners, which primarily invests in early-stage technology companies, has released a report looking into how last year’s events have shaped security strategy for 2018.
The primary findings of the study were:
- More than 90% of security executives said that high-profile breaches resulted in the board or CEO making changes to the company’s security program, most often through increasing spending on cybersecurity. 56% of security professionals reported that the Equifax breach had affected their perspective on cybersecurity.
- The two biggest drivers of change were high-profile data breaches and the GDPR.
- 60% said that greater budget had been allocated to cybersecurity. 68% said that their organisation has increased investment in new cybersecurity technology, and 55% said that there had been greater investment in security personnel.
- Cloud infrastructure security is the technology receiving the most investment. Threat intelligence is the area seeing the most growth – 53% said it was a top priority, as opposed to 38% in 2016.
- 80% of executives say they feel more equipped to handle cybersecurity risks than they did last year.
- C-level executives are more confident than directors in the organisation’s ability to handle specific risks. They were most confident about cryptomining, malware/APTs, and data breaches, and least confident about hackers operating for financial gain. Directors were most confident about data breaches and malware/APTs, and least confident about nation-state attacks and espionage.
- C-level executives think the risk posed by cryptomining is the most likely to increase in 2018, while directors expect to see the biggest increase in risk to come from data breaches.
- Alert fatigue and outdated technology/processes are the main challenges for security teams. Other major challenges named by respondents were insufficient budget, complex legacy data centre infrastructure, and the lack of solutions on the market which address their company’s needs.
- C-level executives place ultimate responsibility for data security on the C-suite (particularly, CIOs and CEOs), while directors are more likely to say that the IT department is accountable. Looking at all respondents together, last year the IT department was seen as ultimately accountable, whereas this year responses were spread out across a greater variety of roles, with the CIO being the most commonly named.
- 1/3 of respondents said that the most senior security decision-maker reports directly to the CEO. 38% said the CEO or board are now more involved in security decision-making.
- ‘Insufficient data privacy controls’ overtook ’employee mistakes’ as the number #2 concern keeping executives up at night. Hackers remain the biggest worry in first place, with 49% of the vote.
The full report, based on responses from 200 US-based security leaders, was released in April and can be accessed here.