CSOs and CIOs ranked cybersecurity transformation as one of the most challenging aspects of cyber risk management that are related to the entire infrastructure. 

According to Deloitte's The Future of Cyber 2019 report, with finite budgets and resources, the ability to apply the level of cyber strategic input and security measures needed as well as deliver on day-to-day cyber management will likely tax even the highest-performing cyber teams. The survey findings reveal the challenges are not limited to budget and resources but to a collective enterprise alignment on integrating cyber into critical business strategy and operations. 

A review of the survey data around time management suggests that many executives are spending a significant amount of their time in three specific
areas: cyber governance, resilience, and cyber monitoring and operations. Given the recent surge in higher impact cyberattacks, these numbers confirm that organizations are heavily focusing on two of the five core functions of the National Institute of Standards and Technology (NIST) framework—detect, and respond and recovery— while cyber governance absorbs the third top spot.

In parallel, budgets are seemingly distributed the same way, spreading dollars equitably across the cyber domains while just under 15 percent of the total budget spent is on transformation initiatives including cloud, analytics, and IoT. 

Key findings include:

• 90 percent surveyed citing 10 percent or less of budget dollars assigned for efforts such as cloud migration, software-as-a-service (SaaS) implementation, analytics, and machine learning (ML).
• Cyber teams are challenged by their ability to help the organization better prioritize cyber risk across the enterprise (15 percent), followed closely behind by lack of management alignment on priorities (14 percent) and finally, by adequate funding (13 percent).
• 49 percent of participating C-level executives have cybersecurity issues on their board’s agenda once a quarter.
• 77 percent of CISOs report that cybersecurity issues are on their board’s agenda at least quarterly.
• 50 percent of participating C-level executives employ risk quantification tools to track and evaluate their cybersecurity investment decisions.