Cybersecurity risk in 5 stats

Chief information security officers (CISOs) operate in a much riskier world than they did just a few years ago. The variety of corporate security threats has grown, along with the frequency and costs of cyberattacks to organizations of all sizes and industries.

Compounding CISOs’ misery, digital transformation, expanding supply chains, and the push for innovation have added to remote work to expand every organization’s attack surface.

How prepared are companies to manage such risks? A new ThoughtLab global survey, co-sponsored by ServiceNow, asked 1,200 executives in 14 economic sectors to evaluate the cybersecurity challenges they face, and the progress they’re making in response. Here are some highlights:

Between 2020 and 2021, the average cost of a security breach per firm jumped from $3.35 million to $4.17 million. Healthcare took the biggest hit, with an average increase of $8.6 million per organization.

Human error is the biggest source of corporate security breaches, whether it’s workers getting deceived by phishing attacks or overworked staff pushing a button to say “YES” before enough checks are done.

As companies expand their investment in cloud systems and tools, OT, and DevOps, misconfiguration of settings and apps leaves more dangerous pathways open for hackers to exploit. Another big risk comes from remote employees who use unsanctioned equipment and networks—so-called shadow IT—to get work done.

Companies are spending more on cybersecurity in 2022 than they did in 2021. Security leaders will allocate 15.5% of overall IT spend to cybersecurity in 2022, a 2% increase from 2021. (Average security spend for all firms is 14.2% of the total IT budget.)

The top people-focused initiative planned is upskilling and developing cybersecurity and IT staff. The top technology planned investments include conducting regular risk assessments, audits, and stress tests; developing and maintaining a cyber-incident response and recovery plan; and prioritizing protection of IT and OT assets as well as remediation of vulnerabilities.

How do companies manage cyber risk in different industries? The survey found levels of sophistication and leadership vary widely by company and industry. Life science firms led all other sectors in cybersecurity response planning, risk mitigation, and threat analysis. Insurance, ranked separately from financial services, came in a close second.

Cybersecurity is shifting from a one-leader model to more of a team approach. Four in 10 of surveyed organizations report having a cross-organizational alliance—including compliance, legal, operations, data privacy, risk management, and the C-suite—that works with cybersecurity teams to manage overall risk. These support a larger CISO role in data privacy, compliance, fraud, and third-party/supply-chain risk management.