Threat of GDPR fines increasingly driving security buying decisions

Company boards seem to be increasingly inclined to invest in cyber security, but suffer from a concerning tendency to take spending decisions only after suffering from a security incident, or because they fear being sanctioned following a compliance audit failure, according to a study conducted on behalf of access management specialist Thycotic.

Over 900 CISOs and senior IT decision makers were surveyed to compile the report, and found that 91% felt their organisations were adequately supporting them with investment.

Over half said their organisations planned to up their security budgets in the next 12 months. However, 77% of respondents said they had received investment for new security projects in response to an incident in their organisation, and 28% said investment was influenced by fear of audit failure.

Indeed, with fines levied under the General Data Protection Regulation (GDPR) – such as, recently, fast fashion retailer H&M, which was fined €35.3m (£32.1m) by the German data watchdog for snooping on its employees – continuing to increase, 23% of security decision makers said enforcing compliance, or the threat of fines, was the most effective way to persuade boards to hand over the cash.

Many respondents also said they still had their work cut out to gain the board’s support; about 37% said they had had a proposal turned down because the threat was perceived as low risk or because the return on investment (RoI) was not immediately apparent, and as a result a similar number said they believed organisational management did not really understand the sheer scale of security threats that face them.

“While boards are definitely listening and stepping up with increased budget for cyber security, they tend to view any investment as a cost rather than adding business value,” said Thycotic CISO Terence Jackson. “There are some encouraging signs, particularly in APAC where RoI is a leading factor in security investment decisions.

“However, there is still some way to go,” he said. “The fact boards mainly approve investments after a security incident or through fear of regulatory penalties for non-compliance shows that cyber security investment decisions are more about insurance than about any desire to lead the field which, in the long run, limits the industry’s ability to keep pace with the cyber criminals.”

The report also examined the approaches taken by CISOs themselves, and found an overwhelming majority were forward-looking and keen to try out innovative new approaches to security.

However, in practice, decisions were more usually guided by peers and competitors, and 46% said they benchmarked themselves against other companies in their sector. Thycotic suggested that this may lead buyers to err on the side of caution and invest in proven options rather than pushing the boat out on something new.

However, while taking this approach may mean organisations miss out on truly innovative security tools, Thycotic said that striking a balance between innovation and compliance may work in a CISOs’ favour when pitching to the board.

The report found this balance was somewhat discernible in the way CISOs describe their organisations’ risk profile, with 45% saying their organisation was “in the pack” compared with only 33% who described their employers as “pioneers”. A mere 17% said their business had its finger on the pulse of security.