Survey: IT leaders invest to improve cybersecurity, compliance

Improvements made, challenges remain

Strategies to increase security postures and improve compliance with data protection regulations vary by organizational risk -- which itself varies by industry, said Orson Lucas, managing director of KPMG's Cybersecurity Services practice.

One overarching trend is that organizations -- particularly those with more mature cybersecurity operations -- are investing heavily in next-generation cybersecurity technologies that use artificial intelligence and automation to analyze security-related data points and pinpoint the activities that are the most concerning, Lucas said.

Steven Stein

The Harvey Nash/KPMG study also found that many organizations are trying to beef up their security expertise, with demand for security and resilience talent jumping 25% from the 2017 survey. However, the tight IT labor market has 65% of CIO's saying a lack of talent is holding their organizations back from keeping pace with technological change. To assist with the lack of headcount, many respondents reported that they plan to implement automation techniques, the survey found.

Experts say organizations are maturing their overall approach to compliance, cybersecurity, privacy and risk by moving from reactionary operations to proactive practices.

Stein said more organizations are consolidating cybersecurity, data privacy and risk/compliance activities into information lifecycle management. This discipline brings together legal, risk, information security and IT with the expectation that better coordination between them will deliver the best results on all fronts.

Orson Lucas

"We're seeing a much heavier focus on information governance -- understanding what you have, where it's being transmitted, tracking and managing that," Lucas said. "If done well, it is the core of effective cybersecurity and privacy strategy."

Similarly, Modi said he sees more companies building security operation centers that consolidate related tasks to ensure more efficient, effective execution.

"Executives and boards recognize that there's a maturity cycle everyone is going through [and that] the world is going through together," he said. "So there has been a lot more investment in personnel and processes."

Accentuating the positive

The Harvey Nash/KPMG CIO Survey found that only 15% of the respondents predicted their organization would be GDPR-ready by the regulation's May 2018 deadline, but Lucas said many executives acknowledged that they started their compliance efforts late and, as a result, fell behind. But companies are working to improve: The survey found that about half of the companies have nearly completed their GDPR compliance efforts.

Hardik Modi

Lucas made a similar observation regarding most of the respondents reporting their systems as ill-prepared for a cyberattack, noting that most companies are still refining their efforts to improve cybersecurity practices.

"A lot of companies may feel ill-prepared -- the attack surface for most companies is significantly bigger now," he said. "In years past, it was just a perimeter problem and [required only] the ability to lock that perimeter down. Now, you have employee devices, people who work remotely, you have increased access by third-party vendors and partners. At the same time, the attacks are increasingly complex and the attackers are increasingly focused and well-funded."

Frazzetto echoed that organizations are dealing with increased attack surfaces, more complex IT infrastructure and exponentially more data than ever before, yet they continue to improve cybersecurity and privacy practices.

"There was very little fluctuation year over year, so I walked away and said that's good news," she added. "That means that instead of it growing exponentially, which you'd anticipate with all the changes taking place, we've actually been able to control it."