Finally, some numbers to put to one of business's biggest security disconnects: More than 80 percent of "C" suite executives admitted their companies have been breached in the last two years, but less than half said they've actually invested in any kind of information security product or service as a result.
The findings were part of a KPMG LLP's Consumer Loss Barometer report, released this week, which surveyed 403 CIOs, CISOs, CTOs and CIOs.
Respondents in the retail sector counted the most breaches, with 89% reporting yes, followed by automotive (85%), and banking and technology companies (76%). On the spending side, 66% of banking respondents said they'd made some sort of security investment, followed by technology (62%), retail (45%), and automotive (32%).
The disconnect between the high volume of breaches and low amount of security spending reflects a growing sense of overwhelm, particularly among CXOs, according to Greg Bell, KPMG's cyber US leader.
"We started using the term 'cyber fatigue' about 18 months ago and it's only accelerated," Bell says. It's not just an increase in the volume of breaches companies are experiencing, but also new kinds of risk that CXOs must learn about – and respond to strategically.
"Security should not be a function of IT but of business innovation," Bell says, underscoring one of the mantras from the report. "As you offer a new product, partner with new partners, or introduce services to a broader, global market, they all require a shift in security control," he adds. "If you don't align it with how the business is growing and innovating, you may be spending your security investment incorrectly."
To back that up, Bell points to an unnamed insurance company he talked to where the CISO was spending a lot of money to protect the company's dealer network. But another executive from the same company told Bell the medium-term plan was to get rid of dealers in favor of an app. The money spent on endpoint protection for the dealers was pointless and wasteful.
Bell also cited the changing nature of the automotive industry, where a strategic focus on security has lagged in comparison to other industry sectors. He also points to advancements in the infotainment elements of vehicles, not to mention GPS and autonomous driving features that have changed how consumers buy. "Consumers are also concerned about hacking and 80% don't want to buy a car that's associated with being hacked," Bell says. More than half of all auto companies lack an executive solely responsible for security – no CISO or its equivalent. "Auto makers aren’t aligning their spending with what their customers are thinking about," Bell says.
Infosec professionals regularly deal with projects where they start to deploy some new security product, only to have something better -- and cheaper -- come along as they near completion with now-older technology. By aligning security spending with innovation and the larger business strategy, companies can rescue infosec professionals who struggle to justify their expenditures, Bell says.
There's also concern among executives around security as they watch (and approve) lots of money getting spent to address vulnerabilities and improve safeguards, according to Bell. But yet the number of threats, hacks and actual breaches continues to increase. So while organizations may need to spend more on prevention and detection, there's nothing that can ever completely eliminate the threats. "That's been a mixed message to executives," says Bell, "and we need to articulate that better."