Study: Cybersecurity prioritized over physical security by today's CEOs

June 18, 2019
New CCHS and ISMA survey provides insights into how organizations are balancing security concerns

Given the myriad cyber threats facing organizations today from criminals, nation-states and hacktivists, it should come as little surprise that senior-level executives are placing a larger emphasis on bolstering cybersecurity over physical security. However, the results of a recent survey conducted by the Center for Cyber and Homeland Security (CCHS) at Auburn University in conjunction with the International Security Management Association (ISMA) provides new insights into the resources that C-suite leaders are considering putting behind the mitigation of cybersecurity risks as well as how CSOs and CISOs view their roles and the evolving technology landscape.  

As the study is quick to point out, the fact that cybersecurity is prioritized by management teams is not a reflection of organizations seeing diminished physical threats or a poor job of security practitioners in articulating the value of their departments to the company but rather it is indicative of the maturity level of physical security within most enterprises and their effectiveness at countering risk. According to ISMA Research Committee Member and former Boston Scientific CSO Lynn Mattice, the maturity level of corporate security programs – traditionally comprised of physical security, personnel security, information asset protection, security risk identification and mitigation, as well as business continuity/emergency response programs – is such that most CEOs have been in a position to see that these programs are professionally run and provide effective risk mitigation and resilience.

“The CSO population has had decades of visibility with the C-suite and boards to educate leaders and mature security processes to a level where most CEO’s have confidence that their ‘physical security’ posture in general is mature and capable, with experienced CSO leaders who understand the internal and external threats being directed against their enterprises on a daily basis,” Mattice explains. “In light of the dramatic increases in nation-state-sponsored, -instigated or -supported economic espionage focused at stealing vast amounts of intellectual property and other vital intellectual capital from a vast array of enterprises, CSO’s are again being called upon to help executives and boards better understand the risks they face in today’s complex global economy.”

This was especially true in the years following the 9/11 attacks where security executives were regularly called upon to brief senior leaders and boards of directors on the terror threat landscape.

“The difficult lessons learned from that event were widely shared and resulted in CSOs and corporations placing significant emphasis on enhanced personnel screening, improved physical security, comprehensive travel security measures, strengthening of business continuity programs to ensure resiliency, improved crisis management training and employee mass notification procedures,” Mattice adds. 

On the other hand, cybersecurity is still a relatively new and evolving function within a majority of organizations today and, given the impact that data breaches and cyber-attacks have had on companies across industries in recent years, there’s a clear desire on the part of CEOs and the C-suite, as a whole, to avoid becoming the next victim.

In fact, the survey, which recorded responses from 136 participants that included a mix of CEOs, CSOs and CISOs, found that CEOs across the board are overwhelming prioritizing cybersecurity as it relates to broad importance/emphasis (86%), budget (83%), personnel allocation (83%), and overall strategy (86%). When asked what was the most important driver for placing their strategic emphasis on cybersecurity, the majority of CEOs (75%) reported findings of internal risk assessments as the primary driver, followed by prioritization by the board (50%), nature of industry and business operations (50%), history of prior security incidents (25%), and relevant background of members of senior leadership teams (12.5%).

“While the role of CISO is not brand new, the challenges being faced by this group of professionals evolve at a rapid pace,” Mattice says. “The relentless nation-state, organized crime, gangs, insider and cyber-hacktivists attacks directed against corporations come at a dizzying rate. At the same time as companies are trying to embrace the digital age, they must also mitigate the risks associated with a complex cyber-environment that is ever-changing and extremely difficult to protect and secure.”

Budget Priorities

With security being historically seen as a cost center within most organizations, the ability to receive increased budget allocation for technology upgrades and various other initiatives has always been an uphill battle for security executives. This could become an even bigger challenge in the future as organizations finds themselves attempting to balance both physical and cybersecurity priorities.

While all CEOs who responded to the survey said they envisioned increasing budgets for cybersecurity initiatives, only 29% predicted that there would be similar budget increases for physical security. However, of those who said they didn’t foresee steadily increasing physical security budgets for their organizations over the next five years, over half selected “protecting physical assets and operations” as the most important priority for their CSO over the next one to two years.

At first glance, it would appear that the predicted budget allocations of these CEOs are not aligned with their security priorities, however; the study noted that because all of them believe they maintain a coordinated or unified incident response plan, increasing cybersecurity budgets may not be seen as actually taking away from physical security.

The CSO Perspective

Unsurprisingly, a majority of the CSOs surveyed (85%) felt that their senior leaders prioritize cybersecurity over physical security, due primarily to their companies experiencing more cyber incidents than physical security incidents in the recent past.

In contrast with CEOs, however; nearly 60% of CSOs said they envisioned growing security budgets over the next five years. In addition, about 70% of CSOs reported having a unified incident response plan that is a coordinated effort between both physical and cybersecurity.

Of the technologies and innovations that CSOs expect to have a “very significant impact” on their jobs over the next five years, the majority of respondents (63%) believe advancements in insider threat detection will affect their duties the most, followed by employee use of mobile devices (46%), counterfeiting/product diversion/interception/prevention (24%), and robots replacing security officers (20%).

What CISOs Think

Like their CSO counterparts, the majority of CISOs believe that senior leaders in their organizations prioritize cybersecurity over physical security, which 44% attribute to recent cyber incidents.

And while many previous studies have found a lack of knowledge among C-suite executives and board members as a reason why companies haven’t adequately invested in cybersecurity, CISOs who took part in this survey were extremely involved in helping educate senior leaders about these issues. In fact, 72 % of CISO respondents said they did two or more of the following:

  • Made presentations on cyber threats at senior leadership meetings and/or board of directors’ meetings;
  • Brought in outside cybersecurity experts to speak to senior leadership or board of directors;
  • Held tabletop exercises with senior leadership of company on cyber threats;
  • Implemented penetration tests of company and provided results to senior leadership;
  • And, developed new employee training on cyber threats and risks.

As a result of these activities, CISOs have created more awareness and understanding among C-suite leaders about the cybersecurity threats they face, and many expect to see increased budgets moving forward. Indeed, 77% of CISOs said they expect to see increased cybersecurity budgets over the next few years while only 33% predict an increase in the physical security budget.   

Of the technologies and innovations that CISOs expect to have a “very significant impact” on their jobs over the next five years, the majority of respondents felt that the shift to cloud-based services (71%) would affect them the most, followed by big data and artificial intelligence (47%), the Internet of Things (44%), and employee use of mobile devices (41%).

Click here to read the full study results. 

About the Author: 

Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].       

About the Author

Joel Griffin | Editor-in-Chief, SecurityInfoWatch.com

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.