To connect a tried-and-true aphorism to the role of executive; “The buck stops here”. Ultimately, this means that corporate directors are responsible for all aspects of the business in which they oversee, this includes safeguarding business-critical technology assets. As cyber threats continue to increase, there is a need to strengthen security practices from the top down. The Enterprise Strategy Group (ESG) surveyed 365 senior business, cybersecurity, and IT professionals throughout the Western world to help assess communications, collaboration, and productivity between executives and IT teams and offer a number of structural improvements to enhance security-business alignment in organizations.
There is a pressing need for CEOs and corporate directors to lead by example
According to ESG’s data, a large majority (82%) of respondents reported that cyber risk has increased in the past two years. This is primarily due to an increase in threats, the expansion of the corporate attack surface, and the fact that organizations and business processes rely on technology more than ever.
Security is still viewed as primarily (41%) or entirely (21%) a technology issue.
These numbers are alarming when you take into account that, over the past 12 months, there’s been a steady increase in the adoption of digital transformation processes. When it comes to c-level executives, there’s a lack of engagement. This means that a majority of CISOs are only willing to fund the bare minimum when it comes to meeting compliance and protection requirements.
A large percentage of organizations remain content with ‘good enough security’
There’s a concern within the security community that executives are only willing to fund cybersecurity teams, processes, and technologies that help the organization fulfill regulations and provide rudimentary protection. This has led to the saying that, “organizations don’t want good security; they want ‘good enough’ security.” Unfortunately, this issue is still prevalent in businesses.
The majority (54%) rate their company-wide commitment to cyber-hygiene as adequate, fair, or poor.
While, less than half (41%) of organizations rated their C-level executives’ commitment to cybersecurity as only adequate or fair. Lack of boardroom engagement can lead to meager cyber hygiene as well as security which is not properly integrated into business processes.
What can be done to improve cybersecurity alignment with the business?
When the boardroom and C-level executives are more engaged and educated in cybersecurity, they ask tougher questions, dig deeper into issues, and are more likely to make the leap from cybersecurity to business matters.
According to ESG, the top three actions suggested by respondents as most likely to improve business-cybersecurity alignment are:
- Involve the security team in business plans and major initiatives much earlier in the process (33%)
- Improve/increase security training for business executives (33%)
- Improve data collection and analysis to enhance cyber risk decision-making (32%)
Respondents to ESG’s survey have offered solutions towards closing the business/cybersecurity gap:
- Hire/appoint Business Information Security Officers (BISOs) to drive security at a granular level into business processes, critical assets, sensitive data, and employee roles.
- Build a top-down, formalized and documented program using KPIs to help CISOs better communicate with their boards.
- Change reporting structures so CISOs report direct to their CEO. This means more security exposure for CEOs and more business input for the cybersecurity team.
Gain valuable insight into the relationships between security and business executives, where progress is being made, and a comparison of how leading organizations differ from those that lag behind. Read Cybersecurity in the C-Suite and Boardroom from ESG.