According to a new study, corporate executives and board members see cybersecurity as a technology domain, not a business concern.
In 2015, the security industry adopted a new agenda called 'Cybersecurity is a matter of the board'. The statement has proven the burgeoning relationship between CISOs and business executives and corporate boards in many research reports, business press articles, webinars, local events, and even RSA and Black Hat sessions.
Since then, what has changed
Has anything changed since then? To find out, ESG surveyed 365 high-level executives, cybersecurity, and IT professionals working in large and mid-sized companies in North America (US, Canada) and Western Europe (UK, France, Germany).
There are good news and bad news in the survey results. The good news is that cybersecurity is actually a board-level issue. But the bad news is that it's not where it should be.
Cybersecurity is still recognized as a technological issue
Twenty-eight percent of respondents believe that cybersecurity is entirely a technology area, and 41% say cybersecurity is a technology area that emphasizes the business aspect. Surprisingly, 11% still see cybersecurity as a compliance area only. This is because board-level discussions on cybersecurity focus on things like open software vulnerabilities and the number of incidents detected rather than building cyber-resilience in critical applications and business processes while protecting customer communications or retaining staff. Means that you are doing.
CISOs are considered technicians
More than half of all companies see CISOs as business executives, but the other half still see it only as an IT role. Some companies consider the CISO to be just an expensive firewall manager. In-company CISOs rarely confront executives or boards. Even face-to-face, it is common to answer questions rather than give proactive opinions.
Cybersecurity is still quite the opposite of corporate culture
Less than half of companies (44%) said they were "very good" about their employees' commitment and participation in cybersecurity. The remaining 56% said it was appropriate, fair, or bad. Thus, the CISO declares that 'cybersecurity is everyone's job', but most companies rank and evaluate employees, but this agenda does not apply.
Business managers have little or no cybersecurity responsibilities
Likewise, only 29% of companies report that non-technical managers have cybersecurity responsibilities, such as classifying sensitive data, linking employee roles and access policies, and creating business plans with cybersecurity managers. Business executives tend to think of this as something like a checkbox exercise that should be done as quickly as possible.
This report and other data reveal the dichotomy of cybersecurity. Boards and executives are more involved in cybersecurity but maintain the 'we and them' mindset. Business executives and the board of directors drive business decisions, while the CISO is responsible for tightening technical security controls and clearing up any issues that arise.
When cybersecurity was declared a board issue in 2015, this declaration was not wrong. According to ESG research, after years of neglect, boards and executives seem to have finally started paying attention to cybersecurity five years ago. Since then, the cybersecurity industry has been busy encouraging itself for gradual progress.
The doctor warned me that I had to lose 20kg, but in reality, I would not declare victory except for 2kg. Unfortunately, this is happening to the board and top management cybersecurity. Most companies need a lot of effort in the future.
However, this survey shows that there are companies that have implemented security well beyond the basics. The company has made significant progress in cybersecurity as an integral component of its business mission, culture, and strategy. In addition, some companies have benefited from security efficiencies, improved ROI on cybersecurity investments, and increased business flexibility.
0 Comments