According to a new survey from Gartner, 88% of Boards of Directors (BoDs) see cybersecurity as a business risk rather than a technical risk. However, just 12% of boards of directors have a board-level cybersecurity committee.
Despite the fact that business executives are aware of the need to protect the company from new and emerging dangers, IT leadership is primarily responsible for security.
According to the recent Gartner survey, the CIO, CISO, or their equivalent was the top person held accountable for cybersecurity in 85 percent of firms. Only 10% of companies held non-IT senior executives accountable.
“It’s time for executives outside of IT to take responsibility for securing the enterprise,” said Paul Proctor, distinguished research vice president at Gartner. “The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve.”
“IT and security leaders are often considered the ultimate authorities for protecting the enterprise from threats,” added Mr. Proctor. “Yet, business leaders make decisions every day, without consulting the CIO or CISO, that impact the organization’s security.”
CIOs and CISOs must rebalance cybersecurity accountability such that it is shared with business and enterprise executives, according to Gartner. IT and security professionals should collaborate with CEOs and boards of directors to build governance that shares responsibility for business choices that influence enterprise security.
Cybersecurity Budgets Fall
According to another recent study, 66% of CIOs want to raise cybersecurity spending in the following year. However, according to Gartner, global cybersecurity spending growth will decrease through 2023.
“After years of such heavy investment in security, Boards are now pushing back and asking what their dollars have achieved,” added Mr. Proctor.
CIOs and CISOs will need to work closely with senior leadership to put cybersecurity investment in a business perspective as security budgets fall, stated Gartner. For example, CISOs might present business executives with a number of security choices, each with its own set of costs and dangers.
“CIOs and CISOs must leverage their expertise to increase transparency around investment and risk, to drive shared accountability for security across the business,” concluded Mr. Proctor.