Nearly a quarter of companies (24.6%) say they would be willing to pay hackers a ransom to prevent a cyberattack, a new survey finds.

To stop cybercriminals from releasing sensitive information, 14% of companies would pay a ransom in excess of $1 million, according to a survey of 209 information technology security professionals worldwide by the Cloud Security Alliance.

The survey, The Cloud Balancing Act for IT: Between Promise and Peril, found that one factor influencing willingness to pay is whether or not the company has cyber insurance, which would cover the cost, the report said. About 28.6% of companies with cyber insurance say they would pay ransom, compared with 22.6% for companies without such insurance policies.

The survey also found:

•The top barrier to stopping data loss in the cloud is a lack of skilled security professionals – is security analyst the next hot job opportunity?
•Customer relationship management (CRM) is the most widely used cloud-based system of record today, but companies have plans to move other systems to the cloud
•Cloud confidence rising: 64.9% of IT leaders think the cloud is as secure or more secure than on-premises software
•CISOs play an important role in security – having one makes a company more likely to take steps to prepare for a cyber attack

"Employees and the line of business are key elements in driving corporate cloud adoption. IT professionals we surveyed receive, on average, 10.6 requests each month for new cloud services. Even considering there is likely overlap in these requests, that’s a tremendous number of cloud services that must be vetted," the survey said. "Perhaps that’s why 71.2% of companies now have a formal process for users to request new cloud services. However, these programs are still evolving. Of companies with a formal process, 65.5% indicated that they only partially follow it."

As quickly as companies are responding to requests to enable cloud services, they may not be responding quickly enough or sufficiently to meet the demand, the survey said. An overwhelming majority of IT professionals surveyed, 71.3%, said their companies have plans to offer more support for cloud to the lines of business. Much of the attention on cloud adoption has been focused on innovative social media, file sharing, content sharing, and communication applications. However, most businesses also rely on back end systems that at their core maintain records on employees, customers, and materials as they move through the supply chain. Companies are beginning to move these applications to the cloud as well.

In terms of barriers to cloud adoption, the primary obstacle noted by 67.8% of companies was the ability to enforce their corporate security policies. Next, 61.2% of companies said that concern about complying with regulatory requirements was a barrier. Budget-related constraints do not appear to be a major hesitation when it comes to replacing a legacy on-premises system of record with a cloud based equivalent.

Considering the financial impact that a major data breach can have on a company, information security is an increasingly important function to reduce the risk and the potential impact of incidents. Recognizing the importance of security, more companies are appointing a Chief Information Security Officer (CISO), to manage the information security team, according to the report. Today, 60.8% of companies have a CISO. A CISO’s role can vary, but it often includes setting security policies, overseeing regulatory compliance, and taking responsibility for data privacy. "Company size appears to have a significant effect on whether a company has made an investment in hiring a CISO to head the information security team. Larger companies are significantly more likely to hire a CISO versus their smaller counterparts; 82.4% of companies with more than 5,000 employees have a CISO, while only 50.6% of companies with fewer than 5,000 employees have one," the report noted.

A key question when a company creates a CISO position is the best reporting structure. "Some people argue that since information security is a core aspect of information technology, the CISO should report to the Chief Information Officer (CIO)," the report noted. "Others argue that the CIO’s mission to enable the business with new technology conflicts with the CISO’s mission to protect the company’s information. The security of a company’s information has become so business-critical that it’s a function that should report directly to the CEO," the report said. The report found that 41.8% of CISOs report to the CIO. Another 32.0% of them report directly to the CEO. Reporting structure is highly dependent on the company’s size, however. At companies smaller than 5,000 employees, the CISO is most likely to report to the CEO. At companies with more than 5,000 employees, the CISO is most likely to report to the CIO. One possible explanation is that while the span of control for CEOs of large enterprises has doubled in the past several decades to 10 direct reports, and while CEOs increasingly manage functional specialists like the CIO, security is not yet perceived as something that CEOs should directly manage.

Following a breach, the survey noted that many companies rely on cybersecurity insurance to cover part of the cost of the incident. Following the Target credit card breach in 2013, for example, the company’s insurance covered $90 million of the $264 million cost related to the attack. Many cyber insurance plans now offer the option of cyber ransom coverage, which pays for the costs associated with making ransom payments to cyber attackers. The willingness of a company to pay a ransom to stop a catastrophic release of stolen information is correlated with whether the company has cyber insurance, the report said. Companies without cyber insurance are less likely than average to pay a ransom. Just 22.6% of these companies would pay a ransom. Across companies with cyber insurance, 28.6% would pay a ransom, higher than average.

The full report is at