General management more sensitive to cybersecurity

In partnership with Cesin (Club of Information and Digital Security Experts) and Eneid-Transition, a firm specializing in transition management, IDC France conducted a survey of 80 French cyber decision-makers (DSI and RSSI) large companies to examine the maturity of leaders in terms of cybersecurity. The results show a clear and encouraging evolution: indeed, two years ago, almost six out of ten companies considered digital security as a technical direction or a cost center. This proportion falls to 31% in 2021 and is expected to continue to decline to reach 22% in two years. Now, the majority of organizations perceive cybersecurity as a key contributor to business activity: 40% this year, a figure that is expected to reach 54% within two years. This shift stems both from the involvement of general management on the subject and from the increased proximity of CISOs with the management team. Thus, in 75% of the organizations questioned, the CISO can send messages to the Comex at least two or three times a year.

However, the study also reveals that there are still areas for improvement. To measure the cyber maturity of leaders, IDC has established an index based on more than 60 criteria and four areas of analysis: quality of the relationship DG / cyber manager, cybersecurity management, cyber awareness actions and reaction capacity to attacks. The average for all respondents is 47/100, with only 6% of them reaching the “cyber-ready” level (score above 75/100). “The analysis of the results obtained with the Cesin-Eneid index shows that two factors play an essential role in the cyber maturity of general management: the presence on the Comex of the management to which the CISO is attached and the consideration of the cyber risks of proactively,” says Reynald Fléchaux, research manager at IDC France.

Efforts to be made on crisis preparation

Among the progress made by companies is a better consideration of security in the context of IT projects. Thus, in nearly 3 out of 4 organizations, all projects must comply with a security framework, including digital projects carried out outside the IT department. In addition, the RSSI is consulted upstream in nearly six out of ten companies (56%). Companies have also made progress in assessing the financial risk associated with cyberattacks: 75% of cyber decision-makers surveyed say they are confident in the assessments made by their CEO or their Executive Committee on this risk. As a result, the criteria considered most important in determining cybersecurity budgets are related to risk perception: recent attacks against the organization, media coverage of attacks against other companies and risk exposure rank first. , while the standard criteria are considered unimportant (alignment with IT department or support budgets, expenditure benchmarks, etc.) per year to cybersecurity. 36% spend less while 26% invest more in the subject.

The results nevertheless highlight areas where organizations need to improve, particularly with regard to crisis preparedness. Thus, in more than half (54%) of respondents, crisis management procedures are either non-existent, insufficiently tested or not tested at all, while only 35% manage to carry out crisis management exercises involving the Comex or the general direction. Alain Bouille, CEO of Cesin, also believes that companies must work on two other equally essential points to improve: “First, on a better understanding of their cyberdependence: on whom does the company depend in terms of supplier and partner chains? Then, on the ability to detect, react and reconstruct. Detecting a cyberattack as quickly as possible is what makes the difference today and limits its consequences. »