Security & Compliance Blog

Despite Increased Security Spending, Executives Remain Concerned About Their Organization’s Vulnerability

Marc Wilczek
3 minute read
Marc Wilczek

In the midst of the digital revolution that is currently underway, bad guys are trying to take advantage and exploit individuals and business alike. No one is immune to cybercrime. In a recent study, out of 1,100 Chief Information Security Officers (CISOs) polled, 68% have experienced a breach, with 26% of those experiencing a breach during the last 12 months – both numbers climbed compared to the previous year. Despite all efforts, almost one third (30%) still considered their organizations as ‘very vulnerable’ or ‘extremely vulnerable’ to a data breach, and the number of such incidents keeps soaring. In this cat-and-mouse game, organizations are simultaneously enhancing their arsenal to keep up with rising threats. 73% of organizations increased their IT security spending in 2017 – up from 58% in 2016.

The prime driver for boosting investments: compliance

The motivations for lifting the security spending are different, but the key driver remains unchanged: compliance. Almost half (44%) of the participants quoted compliance regulations as their top spending priority, followed by best practices (38%) and protecting reputation/brand (36%). 59% also believe compliance is ‘very effective’ or ‘extremely effective’ at preventing data breaches.

As much as these compliance requirements help map out a cyber-security landscape, they are not at all the sole contemplation when creating a defense strategy vigorous enough to combat today’s sophisticated attackers.

External and internal cyber actors the top threat

Across all vertical industries polled cyber-crime was listed as the top threat (44%), followed by hacktivism (17%), cyber-terrorism (15%) and nation-states (12%). As far as internal threats go, 58% of the participants believe privileged users are the most dangerous insiders (which is slightly lower than last year’s 63%). Cited by 44%, executive management is seen as the second riskiest insider group. This was followed by ordinary employees (36%) and contractors (33%).

Digitization requires rethinking the threat landscape

Organizations drive their digital agenda at a fast pace and encourage new ways of working, but many fail to adjust their defense strategies accordingly. What might have worked in the past, is not necessarily most effective in an evolving threat landscape going forward. A recent study by BMC and Forbes revealed, that as much as 69% of senior executives believe digital transformation is forcing fundamental changes to security strategies. Another 68% plan to enhance incident response capabilities in the next 12 months. With the average data breach costing US$4 million, it’s perhaps not really surprising that 82% of executives across Europe and North America will again rise their security investments in 2017.

The average organization encounters between 11-20 incidents per day

The frequency of incidents is far greater than most people assume. Another report concluded that the average mid-sized organization (1,000–3,000 employees) encounters 11–20 incidents on a single day. Larger organizations (3,001–5,000 employees) are slightly busier, with the median at 21–30 incidents per day. The largest organizations (more than 5,000 employees) are busiest, with the median at 31–50 incidents daily.


The number of senior executives concerned about their organization’s vulnerability is surprisingly high – if not alarming. Investments have been increasing for years, and yet, many organizations still seem to be fairly unprepared. Compliance remains the driving force that motivates increased security spending for most organizations. At the same time, incidents occur a lot more often than most people can imagine. In an ever-changing digital world, organizations must rethink their security strategy and constantly enhance their arsenals as they have to cope with new kinds of threats, increased frequency and more sophisticated cyber-attacks.

Dummies Guide to Security Operations

When security and operations teams collaborate closely, they can protect your business more effectively against all kinds of threats. Learn more in the SecOps For Dummies guide.
Download Now ›

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing

About the author

Marc Wilczek

Marc Wilczek

Marc Wilczek is an Entrepreneur and Business Leader with more than 20 years of experience across the ICT industry. He’s passionate about all things #digital, with emphasis on Cloud, Big Data and IoT services.
He is an Alfred P. Sloan Fellow and holds master’s degrees from FOM Graduate School for Economics and Management in Frankfurt and London Business School.