Freely subscribe to our NEWSLETTER

More than 230 people from both business and IT functions in companies with more than 1000 employees in the UK were questioned for the study. The study was supported by CGI, Fujitsu, cybX and Symantec.

Seventy per cent of firms think that the cyber security threat landscape is getting worse, according to the survey. In addition, 65% of respondents reported an increase in visibility of cyber security at board level, reflecting the increased importance that senior executive place on breach prevention and detection. Over half of the firms survey reported an increase in cyber security workloads, putting staff under intense pressure.

However, less than half of firms are seeing a rise in cyber security budgets. Comparing these reported static budgets against rising threats, board awareness and workloads reveals a funding gap that is impacting security provision.

In response, firms are seeking external support from third party providers, either in the form of on-site consultants working in-house, or outsourcing of cyber security provision, known as Managed Security Services (MSS).

The survey shows that only 21% of companies use no external cyber security resources, 40% of companies buy in security expertise for specific projects, 34% use Managed Security Services and 13% outsource all their cyber security provision.

“Firms are between a rock and a hard place when it comes to cyber security provision,” said Duncan Brown, Research Director at PAC and lead author of the study. “The double whammy of insufficient funds and a scarcity of skills appears to be driving organisations towards external resources, including outsourcing, even though there is a clear reluctance to do this.” Instead, says Brown, firms will use a selective outsourcing model, picking the tasks and services that can be handed off to third parties. “This represents an entirely pragmatic approach. Organisations dislike losing visibility and control of processes, especially those that have a high risk profile such as cyber security,” he said.

Sponsors confirm PAC’s view

“The increasingly pervasive nature of digitisation-enabled operating models, with vulnerabilities not just in the core organisation but its inter-connected supply chain and customers, makes cyber security a core business capability,” said Richard Preece, Director at cybX. “Cyber security should be approached as an enterprise-wide risk issue, rather than an IT concern. It’s positive to see that cyber is at the forefront of many organisations’ strategic risk register: however, there is still some work needed to change the perception of cyber being a ‘grudge’ security cost centre, to a more business-aligned strategy supporting aspects of organisational transformation and change to achieve business objectives.”

“With threats continuing to evolve, attacks becoming broader and hacker capabilities developing remarkably, it is no surprise that organisations think the security landscape is getting worse,” said Rob Norris, Director Enterprise & Cyber Security in the UK & Ireland at Fujitsu. “Security is now sitting outside the IT department and because of this businesses need to develop an enterprise security model that is flexible and can change with the threat landscape. Whether solutions are in-house or outsourced, businesses should ensure that its security model places risk management at the centre.”

Sian John, EMEA Chief Strategist, Symantec commented, “As the threat landscape continues to evolve and becomes increasingly sophisticated, it is key that organisations are taking the necessary steps to address risk and build resilience. While it is a positive move to see that cyber security is being taken more seriously at board level, there is still much to be done to ensure that organisations are able to determine and contextualise the specific business risks of today’s cyber threats and develop an informed response.”

Andrew Rogoyski, Head of UK Cyber Security Services, CGI commented, “This survey confirms CGI’s view that companies are realising the importance of a holistic approach to cyber security which is built into their company strategy and led from their boardroom. They are also starting to develop long term partnerships via outsourcing and co-sourcing, so they can deliver improved cyber security. The survey highlights some interesting issues, such as the growing awareness of new data protection legislation, the increased sensitivity of the geographic location of data and the high proportion of companies now looking at cyber insurance to mitigate the huge costs of breaches and disruption caused by cyber-attacks”.

Taking a cautious approach

Companies appear ready to adopt a cautious and selective approach to outsourcing or the use of external resources for project-based work. This reflects a pragmatic approach to the problem of budgetary and skills concerns. Buying in external capability as and when needed makes sense, but for more long-term provision Managed Security Services are more likely to be deployed.

Cyber security is critical to organisations. And although they currently use external providers, they are clear that when they do such providers must come with robust credentials. Seventy-three per cent of respondents said that they looked for a strong track record in cyber security when appointing a cyber security services provider. This was closely followed by Security expertise and skills (at 71%).

“Cyber security is too important to businesses for them to adopt additional risks with their suppliers, said Duncan Brown at PAC. “It is important then for suppliers to communicate their track records, and strong industry knowledge is also extremely useful.”

The Executive Summary version of the study can be downloaded free of charge: https://www.pac-online.com/cyber-security-now-too-hard-enterprises-executive-summary