A recent Southern Methodist University, Dallas, survey interviewed 40 executives at firms in different industries to determine how they identify, prioritize, and invest in the management of cybersecurity risks. The results are enlightening.

The survey finds that senior management supports cybersecurity almost unanimously. The reasoning is largely fear-based, with several managers citing large security breaches that have been covered in the media of late. The rise in attacks and coverage has increased awareness, states the SMU report, but also increased the ease of getting cybersecurity funding.

A more difficult obstacle is finding experienced cybersecurity experts to fill the empty seats, and many firms reported hiring recent graduates and training them up to speed; in fact, leveraging the existing security applications to full capacity is also limited by the inexperience of the cybersecurity staff, stated one Chief Information Security Officer (CISO) in the report.

Frameworks for defining cybersecurity status and prioritizing investments are used by nearly all of the 40 firms that participated. These frameworks, state the report, were used to make clear to senior decision makers the true weight of cyber threats, and the potential disturbance to business as usual.

The survey adds that as a rule across the firms, there is more focus on process over outcome. One possible reason for this, given in the survey, is emphasis on frameworks and on closing gaps between the actual and desired cybersecurity shield.

The survey ends with this summation by its authors, “Overall we think that CISOs have robust resources and processes to manage cybersecurity; unfortunately bad actors also have robust resources. We believe that this is a period when many firms will elevate cyber to being a first-class risk which will lead to a significant adjustment to the role of the CISO.

“We conclude by noting an unresolved disconnect. On the one hand, CISOs express high confidence in frameworks and their ability to identify and deploy the best controls to improve cybersecurity for their organization. On the other hand, the steady drumbeat of high-profile breaches shows no sign of abating. We speculate that this contradiction may result from an overconfidence in the process-based measures and a corresponding lack of emphasis on measuring secure outcomes.”