Moody's report surfaces real cybersecurity progress

Not too long ago many organizations were choosing between investing in cyber insurance or adding additional cybersecurity expertise but a new report from Moody’s suggests more organizations are now doing both. In fact, qualifying for cybersecurity insurance these days typically creates a virtuous cycle in that it requires organizations to be a lot more cyber resilient to qualify in the first place.

A global survey of nearly 2,000 cybersecurity professionals conducted by the investment advisory service finds cybersecurity budgets have increased by nearly two-thirds (65%) in the past five years, which includes the salaries required to enable a 25% increase in the size of in-house cybersecurity staff working full-time.

At the same time, 87% report their organization has standalone cyber insurance, up 21% from 2021. A total of 13% said they plan to seek additional coverage in the coming year even though premiums are considerably higher than they once were.

It’s not precisely clear to what degree qualifying for cybersecurity insurance has resulted in the adoption of better cybersecurity processes, but the report notes most organizations are now backing up data at least weekly and have implemented multifactor authentication (MFA).

The report also notes that about three-quarters of all organizations perform tabletop exercises at least yearly, while 60% report having some type of bug bounty program in place.

Clearly, there is still much work to be done in terms of improving third-party risk assessments, but on the plus side, more cybersecurity teams (90%) have access to top-level executives to press their case.

Of course, the degree to which top-level executives understand and appreciate the cyber briefing they receive still varies widely from one organization to another. Many cybersecurity professionals still find it challenging to explain the level of business risk attached to a cybersecurity issue. In the absence of any formal finance training, it’s often difficult for them to make a compelling argument in terms that business executives will understand.

On the plus side, more business executives are at least listening either because they take the issue seriously after seeing first-hand how it might impact a business, or they are compelled to by law. It’s not likely business executives will ever have a deep understanding of cybersecurity, so, like it or not, the onus for explaining the issues and challenges the organization faces falls to the leaders of the cybersecurity team. The unspoken issue is that most business leaders are conditioned to weigh potential gains versus risks, so they may opt to launch an initiative regardless of the potential cybersecurity consequences.

The reality is most cybersecurity leaders, while being held more accountable than ever, simply can’t say no to any new initiatives. Instead, they are mainly providing advice on how best to ensure that whatever digital service is being added is as secure as possible.

On the whole, when it comes to cybersecurity these days, there’s much more to be optimistic about than in recent memory. Hopefully, with advances in artificial intelligence (AI). there is a lot more to look forward to than there is to worry about.