Boards recognise cybersecurity business risk, but lack a dedicated focus

Only 12 per cent of boards of directors have a dedicated board-level cybersecurity committee even though 88 per cent view it as a business risk rather than a technology risk.

The figures are contained in a new Gartner study. 

• Subscribe to Digital Nation Australia's twice-weekly newsletter

Paul Proctor, research vice president at Gartner, believes that a lack of understanding has lead to executives outside of the IT departments not taking enough responsibility for the cybersecurity of their organisations.

“The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve,” said Proctor.

A recent Gartner survey found that the CIO, CISO, or equivalent position, was held accountable for cybersecurity, with only 10 percent of organisations holding non-IT senior manager accountable.

According to Gartner, individuals in these positions such as CIOs must balance cybersecurity accountability so that it is shared with business leaders.

“IT and security leaders are often considered the ultimate authorities for protecting the enterprise from threats,” said Proctor.

“Yet, business leaders make decisions every day, without consulting the CIO or CISO, that impact the organization’s security.”

An overall growth in cybersecurity spend is projected by Gartner, with 66 percent of CIOs intending to increase investments into cybersecurity in the next 12 months. This is however expected to slow through 2023.

“After years of such heavy investment in security, Boards are now pushing back and asking what their dollars have achieved,” Proctor said.

“CIOs and CISOs must leverage their expertise to increase transparency around investment and risk, to drive shared accountability for security across the business.”

The authors say that collaboration between executive leadership and CIO/CISOs will be necessary to rethink cybersecurity investment.

“As security budgets shrink, CIOs and CISOs will need to collaborate closely with executive leadership to reframe cybersecurity investment in a business context. For example, CISOs can offer a range of protection options to business leaders with the costs and risks of each choice clearly outlined.”