Even with ransomware being a consistent topic in the news, do you think most companies are still approaching security as a “nice-to-have”?

2.7k views5 Comments

Head of Enterprise & Solution Architecture, 1,001 - 5,000 employees
I’ve noticed in a few companies I’ve worked for—smaller-sized organizations—that CIOs and CTOs do not treat security as an absolute necessity. We know we need it, but we have so many other priorities to fund. These ransom attacks are increasing, but what's the price of the companies that are impacted? We'd rather take a risk rather than protect ourselves from something that may or may not happen.
VP, IT and Operations in Software, 1,001 - 5,000 employees
Security does tend to be a nice-to-have. Oftentimes, even if you want to do an assessment, it gets trumped by something that's clearly generating revenue, like sales. For smaller companies, resources are very limited and early on you tend to be focused on revenue growth first, then security. You almost have to come up with a policy where you do an assessment every three months. It just becomes one of your standard operating procedures (SOPs).
2 1 Reply
CISO in Software, 51 - 200 employees

As far as compliance, etc., I can sell that to the board: “We need to be SOX compliant. We need to follow these SOPs in order to meet all these compliance needs.” But when it comes to potential threats, if I say, "We could potentially get this so I need to spend the money," they're not receptive.

Founder and CIO, Self-employed
If they have ever had an attack, they're probably more open to security spending, but I think you have to say, "These are the tools; this is what we need to do. I can't exactly tell you what it will save for you, but I know that a cyber attack is a brand issue." When your company gets attacked, you have a serious public relations issue you need to deal with. And they'll be receptive if they've either been in that situation, or if they had something big happen in their area recently that's caught their attention. But it is a challenge. There's a real tendency to keep saying, "We'll do it next year."
Director of IT in Software, 201 - 500 employees
Most of the times security is not seen as something that generates revenue. Small to medium businesses are focused on growth and how to make sales. Unless you are regulated or required to be compliant to some security standards to be able to do business in a certain area(state, industry) or with a vendor, companies don't invest adequately in security.

Now as organizations grow they are starting to realize the brand impact of being hit by ransomware or the penalties by leaking PII so they start to invest more and more.
Interestingly, the security budget always get enough funding after a security breach.

Content you might like

Lead digital business/transformation initiatives26%

Upgrade IT and data security44%

Identify new data-driven business opportunities15%

Collaborate with business leaders on customer initiatives4%

Help reach specific goals for corporate revenue growth11%


1.3k views1 Upvote


Data Exposure32%

Weak/Broken Authentication14%

Insider Threats15%

Application Vulnerabilities11%

Overprovisioned Access5%



745 views2 Upvotes