npressfetimg-496.png

Leaders agree that cybersecurity is a business risk, but are they acting on that belief?

Despite nearly unanimous agreement, there’s still a lack of clarity on who is accountable for security incidents and whether previous security investments have paid off, a Gartner survey finds.

Financial risk assessment / portfolio risk management and protection concept : Businessman holds a white umbrella, protects a dollar bag on basic balance scale, defends money from being cheat or fraud

Image: William_Potter, Getty Images/iStockphoto

A Gartner survey of the members of various boards of directors finds that, while 88% believe that cybersecurity should be classified as a business risk instead of a technology one, the actions they’ve taken don’t necessarily reflect that.

Organizations that classify cybersecurity as a business risk would naturally have a senior-level non-IT person accountable for it, but only 10% of leaders reported that to be the case in their organizations

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Additionally, the report also found that cybersecurity spending is increasing, but the rate at which it is doing so has slowed, further revealing shifting perspectives on cybersecurity: It’s no longer a hole to throw money into, but a business investment that should provide a return. “After years of such heavy investment in security, boards are now pushing back and asking what their dollars have achieved,” said Gartner distinguished research VP Paul ProctorDespite this, only 12% of respondents said that their boards had a dedicated cybersecurity committee.

Why the disconnect?

Acknowledging the problem is a good first step, and the above statistics indicate that boards are starting to face up to the issue, but that isn’t all they have to do. “It’s time for executives outside of IT to take responsibility for securing the enterprise,” Proctor said.

That means the 90% of businesses without a non-IT senior leader accountable for cybersecurity need to find one, and the 88% that don’t have a board-level cybersecurity committee need to start one

“For years, boards have treated security like magic and security people like wizards. They give the wizards money to cast technology spells, and if something goes wrong they blame the wizards. This has led to some very bad decisions,” Proctor said

Jokes aside, Proctor said that the statistics from the study represent a mixture of intentions and reality checks for board members, many who have taken the problem seriously for years but with little desire to know what’s actually happening in the occult depths of their server rooms

SEEGoogle Chrome: Security and UI tips you need to know  (TechRepublic Premium)

“Boards are finally ready to stop treating security like magic, but it will take years to figure out how to actually do that. The secret is to invest in it through a business lens and to balance the needs to protect with the needs to run their business,” Proctor said

Gartner recommends that IT and security leaders work directly with boards of directors to establish proper governance rules that share responsibility for any business decision that could possibly have an effect on enterprise security

If done correctly, Gartner notes, security leaders could even manage to prevent budget cuts thtn are largely an issue of transparency. “CIOs and CISOs must leverage their expertise to increase transparency around investment and risk, to drive shared accountability for security across the business,” said Proctor.

Also see

Tags: , ,
Previous Post
npressfetimg-498.png
Stress

Nov 22, Pain Management Hypnosis

Next Post
npressfetimg-475.png
Solutions Dating Guide How-to Resources Reviews Social Media Tips

What is Social Listening, Why it Matters, and 10 Tools to Make it Easier

Cyber Security, Stress, Money News 2021