Intelligent CISO Issue 27 | Page 28

editor’s question A? RORY DUNCAN, SECURITY GTM LEADER, UK, NTT LTD ccording to NTT’s global 2019 Risk:Value report which explores why organisations are failing to make progress with their security, security budgets are failing to keep up with increasing cybersecurity risk. There has only been a minimal increase in the percentage of IT budgets attributed to security (15%), while the percentage of the operations budget attributed to security has fallen since 2018 to 16%. While security spending has fallen, the estimated revenue loss (following a data breach) in percentage terms is up year-on-year – 12.7% in 2019, compared to 10.3% in 2018 and 9.9% in 2017, according to the report. The cost of recovery is US$1.2 million, on average. During the current crisis, organisations are being forced to adapt to changing circumstances and prepare for a post-COVID-19 world. With more people working from home, the focus is on trying to maintain ‘business as usual’, supporting staff in virtual work environments, complete with collaboration tools, file sharing, video and teleconferencing facilities. Security processes and systems must be in place to support this new structure and ensure people can work remotely, but securely and with confidence. As a result, it’s likely that many security projects or initiatives where budget would have been allocated may have to be put on hold. Ensuring the security basics are in place, such as patch management (NTT’s Global Threat Intelligence Report 2020 shows that old vulnerabilities remain an active target) and having incident response plans in place that are communicated to staff and tested on a regular basis, is critical during this time. Post-COVID-19 security budgets will need to consider the implications of supporting more remote workers for longer periods, and the need to put controls in place for these new working models. For example, recognising the unexpected spend to move people to remote working, and other actions to keep the business running, such as replacing BYOD or home computing kit with corporate-controlled devices, as well as the consumption models of more cloud-based services. There’s also the question about how much office space is needed in the future, and for whom. Reverting back to my opening comments about allocation of budgets for security, what’s really interesting is the fact that a global pandemic has changed the way most of us work. Despite all the disruption, changes and adjustments we have had to make, businesses have continued to function and security has been an important part of this. This will help CISOs in their board-level conversations when it comes to securing budget – it’s not just security, it’s business investment. The percentage of the operations budget attributed to security has fallen since 2018 to 16%. 28 Issue 27 | www.intelligentciso.com