Cyber security and data protection have been ranked third in a list of boardroom priorities.
According to a survey released today by KPMG of 498 C-level executives from UK businesses, under-investment has left many businesses acknowledging the need to increase spend on secure technology. Despite this, one in three executives questioned the need to invest in people skills, with 19 per cent also more focused on plant or machinery purchases.
When it comes to technology, the board is concerned about how social media is used to liaise with customers. Executives are also worried about data analytics and whether cloud computing can make a difference to their business. However, they remain unsure how to maximise the opportunities secure technology can offer, collectively ranking ‘the need to get the best from IT investment’ as a most important technology-driven priority.
Martin Tyley, a partner in KPMG’s cyber security practice, says: “Every day we hear of new cyber attacks and incidents, but the knock-on effect is that boardrooms become wary of scaremongering. I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability.
“Instead, by better understanding the cyber threat landscape and ensuring cyber security is weaved into everything else that is done, it’s much easier to positively manage the risk rather than reacting when things go wrong.
“There is an increasing optimism among UK businesses who have indicated a gradual rather than explosive approach to their investment plans this year. Many businesses are feeling that under investment in technology during the downturn has led to the problem of playing ‘catch up’ with competitors, but the solution is not as simple as splashing the cash.”
Alastair MacWilson, chair of the IISP, said that there needs to be a more “generalist” attitude to information security and less focus on “specialisms” as “security is not getting better”.
Speaking at an event at the University of Surrey, he said: “When I came into this 24 years ago, it was very hard to find anyone with heavyweight qualifications in security, as everyone was trained in something else. I’ve seen good lawyers, accountants and PR people come in and we are getting good views on something driven. Organisations are stupid if don’t bring in blood from other places, and many CIOs and effective CISOs come from the outside.”
Mark Brown, director of information security at EY, said that in a BiS health check last year, he talked to 100 companies, and 75 per cent of the FTSE 350 deemed it to be the CEO or CFO who was accountable for cyber security. “They see the trust of the company managing risks, and I run engagements for clients where engaged by the board or company secretary and run an audit and verify if what they are told by the CEO or CIO is accurate,” he said.
“They looked under carpet and if don’t like what they see and see a change in how security will evolve, and know why to engage business sensibility than technology and sustain security programme, it will allow it to become everyone’s responsibility. It is not just investing across the board, as outsourcing has its place, but you need to be world class at what do, not just at IT.”