Hong Kong: Boardroom engagement plays a significant role in making critical decisions and driving business strategy. Although this is a very common and old practice across businesses and organisations, its limited when it comes to a cybersecurity strategy.
Boardroom engagement and agreement are critical in driving cybersecurity strategies and enhance the overall digital security in an organisation.
However, a new study finds that organisations face the problem of under-prioritised security technology, which creates barriers in driving cybersecurity strategies within the organisation.
This simply means the boardroom engagement or C-suite leaders need to highly prioritise security technology into business processes of the organisation.
A Trend Micro sponsored study by the Enterprise Strategy Group revealed that there exist systemic challenges with security integration into business processes.
The study found that only 23% of organisations prioritise the alignment of security with key business initiatives. Here are the top three key recommendations to remedy this core challenge:
- Add a Business Information Security Officer (BISO) to improve business-security alignment.
- Build a top-down, measurable program to help CISOs better communicate with their boards.
- Change reporting structures so CISOs report direct to their CEO.
When board members are more educated and engaged in the cybersecurity function, they ask tougher questions, dig deeper into issues, the study stated. And the members are more likely to make the leap from technical to business issues.
The vast majority (82%) of survey respondents claimed that cyber risk has increased in the past two years. It mainly because of increase in threats, expanding corporate attack surface and business processes are more dependent on technology than ever.
Yet despite the rapid adoption of digital transformation processes in the past year, security is still viewed as primarily (41%) or entirely (21%) a technology area.
The lack of cybersecurity prioritisation is particularly true in the boardroom. Although 85% of respondents claimed that the board of directors are more engaged in security decisions and strategy than two years ago.
But often those executives are passively drawn in because of a major breach, new compliance requirements or the creation of a security program by a CISO.
In fact, 44% of respondents indicated that their board of directors have limited involvement in many critical cybersecurity operations. This means many boards are only prepared to fund the bare minimum to meet requirements for compliance and protection.
Striving for ‘good enough’ security is frankly not good enough given today’s cyber risk landscape, according to Ed Cabrera, Chief Cybersecurity Officer – Trend Micro.
“This report mirrors many of my conversations with CISOs highlighting that lack of boardroom engagement can lead to poor cyber hygiene and security that is not properly integrated into business processes,” said Cabrera.
“We can only create a culture of cybersecurity if CEOs and corporate directors lead by example. This encourages every employee to believe they have a role in protecting the organisation,” added Cabrera.
The ESG study undertook an online survey of 365 senior business, cybersecurity, and IT professionals in North America (the US and Canada) and Western Europe (UK, France, and Germany) working at midmarket (500-999 employees) and enterprise-class (1,000+ employees) organisations.