Budget Constraints Affecting CIOs' IT Security Operations

by CXOtoday News Desk    Dec 07, 2015



Lack of adequate budget continues to be a growing concern for CIOs in effectively carrying out their IT Security operations. In fact a whopping 49% of CIOs feel a budget constraint is the main obstacle or reason that challenge Information Security operations followed by lack of skilled labor, says EY’s Global Information Security Survey 2015 titled ‘Creating trust in the digital world’.


The responses from more than 200 Indian organizations examine some of the most important cyber security issues facing businesses today and finds that 65% believe their information security structure partially meets their organization’s needs. When it comes to IT security budgets, only 18% say that their budgets should be increased by up to 25% to align their organization’s need for protection with its management’s tolerance for risk.

The most likely sources of cyber-attacks: hacktivists (70%) and criminal syndicates (55%) have retained their top rankings with lone wolf hacker (42%) and state sponsored attacks (32%) closing in.

According to Burgess Cooper, Partner – Information & Cyber security, EY, “The digital age and inherent connectivity of people, devices and organization have opened up a whole new playing field of vulnerabilities. As old sources of cyber threats evolve, new sources are emerging to add to the complexities for organization’.

Cybersecurity is not an inhibitor in the digital world; rather it is the way to make the digital world fully operational and sustainable. Cyber security is the key to unlocking innovation and expansion, and a tailored organization and risk-centric approach to cyber security will adjust the balance of the digital world back towards sustainability and safety, to better protect your organization and create trust in your brand, added Burgess.

Vulnerabilities and threats: a shift in perceptions

The survey found that organizations currently feel moderately vulnerable to attacks arising from unaware employees (48%) This is due to more organizations encouraging the ‘Bring Your Own Device’ policy. 26% percent of organizations are completely unaware of threats, and process failures that led to their most significant cyber breaches in the year gone by. However only 15% of the organizations feel more threatened today by phishing and malware, while 12% blame their poorly secured internet-facing systems and applications.

The survey also finds that organizations are now better prepared in averting a cyber-attack due to emerging technologies and trends, as 59% say they have a dedicated function that focuses on emerging technology and its impact and 31% believe that their Security Operations Center (SOC) is tightly integrated, meeting the heads of businesses operations regularly to understand business concerns and risks. Another 30% take an average of one hour for their SOC to initiate and investigate on a discovered / alerted incidents

However, 41% of the organizations still do not have a security operations center, while 61% outsource their vulnerability assessment - information security function. Almost half (49%) said that budget constraints and lack of skilled resources (47%) impact the contribution and value that information security function provides to the organization, indicating that the situation is deteriorating, rather than improving.

Understanding the challenges for cybersecurity in India

According to 65% respondents, Information Security partially meets their organizational needs and improvement is underway. Nearly 55% respondents see criminal syndicates as the most likely source of an attack today and 47% respondents say that lack of skilled resources is challenging information security’s contribution and value to the organization. Over half or 57% respondents spend less than Rs 65 lacs on information security (people, process & technology).

Over 73% business continuity/disaster recovery resilience tops the list of areas concerning the organizations believe that poor user awareness and behavior is the tone of the major risks associated with growing use of mobile devices by their employees. More than half (55%) say that loss of a single smart device not only means loss of information, but also increasingly leads to a loss of identity.

In areas of big data, 43% of the organizations do not have a formalized requirement for using big data while addressing its privacy obligations. What’s more, 41% of the organizations interact with customers via social media but 50% of them do not have formalized requirements for using social media for commercial purposes while addressing its privacy obligations

Nitin Bhatt, Partner & Leader-Risk Practice, EY says, “Cybersecurity is the key to unlocking innovation and expansion, and by adopting a tailored organization and risk-centric approach to cybersecurity it will allow organizations to re-focus on opportunity and exploration. Building trust in a business that operates successfully within the internet of things (IoT) and that fully supports and protects the individual and their personal mobile devices (from a simple phone to a healthcare device, from smart appliances to smart cars) will be a key competitive differentiator and must be a priority.”

By acting now it is possible to adjust the balance of the digital world back towards sustainability and safety, to better protect your organization and create trust in your brand, said the study.