As more organizations embrace digital transformation initiatives, cybersecurity is increasingly becoming a business decision that requires informed decision making on the part of the executive team and the board. Initiatives like cloud computing, IoT and application development are becoming inextricably linked to business growth, creating a potential gap between the fiduciary responsibility of the board and their understanding of the requirements and risks the business is increasingly facing. In short, cybersecurity has become a boardroom issue.
However, cybersecurity is highly technical which begs the question: do executives and board members really understand the role of cybersecurity in the business? And are they investing appropriately in the right places to drive an effective security strategy and culture in their organization?
To explore the answers to these and other questions, ESG surveyed 365 senior business, cybersecurity, and IT professionals at organizations in North America (US and Canada) and Western Europe (UK, France, and Germany) working at midmarket (i.e., 100 to 999 employees) and enterprise-class (i.e., 1,000 or more employees) organizations.
In this study ESG and BitSight sought to:
“A majority of survey respondents say that their organization perceives cybersecurity as either entirely or mostly a technology area with some emphasis on business.”
Download the ESG report “Cybersecurity In The C-Suite and Boardroom” to learn where the gaps in security communication are and how they impact business performance.
For CISO’s who are reporting cybersecurity to the board, understanding the board’s viewpoint on cybersecurity and getting them more engaged is crucial to success. As the study found, security is still largely perceived as a technology area, which means that there remains a large disconnect between executives and the board, and the security leaders that report to them. On the positive side, security management is increasing and most organizations surveyed are now using one of the common frameworks like ISO 3000, FAIR (Factor Analysis of Information Risk) or NIST to guide their programs. And while 85% of respondents said that the board is getting more engaged in cybersecurity, there remains a long way to go as the level of board engagement can vary widely from organization to organization.