![[article image]](https://cacm.acm.org/system/assets/0003/8991/011821_CACMpg28_CyberS-Is-It-Worse.large.jpg?1610735771&1610735771 "computers at edge of crator, illustration")
Cybersecurity consistently receives significant attention, pressuring organizations to take precautionary steps to prevent incidents and data breaches. Numerous surveys are published each year by reputable organizations such as Deloitte, Verizon, The Ponemon Institute, and ISACA to get a better sense of what organizations are doing in response to these pressures. The general attitude is that threats evolve quickly and many organizations struggle to keep up.5 Much of the data available on this subject comes directly from cybersecurity professionals, which provides legitimacy to the findings. However, it also represents a somewhat biased sample in that responding organizations have already committed resources to tackling these complex issues. Further, there is limited analysis on how individual organizations are changing over time as such reports typically provide industry-level observations. We seek to complement the myriad security research notes by investigating specific cybersecurity practices within organizations to evaluate where organizations are showing improvement, where they are stagnant, and what may be influencing these changes. Our results confirm that cyber-security continues to receive attention on the surface, but when looking beyond surface-level impressions a surprising lack of progress is being made.
Peeling Back the Layers
Each year, the Society for Information Management (SIM) conducts the IT Trends Study—an extensive survey of CIOs and top IT executives to evaluate IT practices within organizations.1 Organizations come from 30 different industries and vary in size, with an average revenue of $4 billion and a median revenue of $400 million. A hallmark of the study is the annual ranking of "organizations' Top IT management Issues" where respondents are asked to select up to five IT-related issues from a list of 41 that are the "greatest concerns to their organization." Cybersecurity has been in the top 10 for a decade as was the top concern for the last three years, signaling that organizations are more worried about cybersecurity than any other IT concern. However, the percentage of organizations selecting cybersecurity was only 41.9% in 2017, 38.3% in 2018, and 35.9% in 2019, suggesting a reality where a relatively small percentage of organizations treat it as a top concern.