SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Study reveals boardroom to be chink in cybersecurity armour
Wed, 4th Oct 2017
FYI, this story is more than a year old

Leadership and board of director teams are proving to be the weak link in cybersecurity, according to new research from ISACA.

Despite more than 90 percent of surveyed business leaders being in agreement that strong technology governance contributes to improved business outcomes and increased agility, a whopping 69 percent reported that their leadership and board of director teams need to establish a clearer link between business and IT goals.

“The boardroom must become hyper-vigilant in ensuring a tight linkage between business goals and IT goals, fully leveraging business technology to improve business outcomes while diligently safeguarding the organisation's digital assets,” says Matt Loeb, CEO of ISACA.

“The message from our research is clear: there is much work to do in information and technology governance. Committing to a boardroom with technology savvy and experience strongly represented provides the needed foundation for organisations to effectively and securely innovate through technology.

What is concerning is that only 55 percent of respondents say their leadership team and board are ‘doing everything they can' to safeguard their organisation's digital assets and data – 21 percent don't think they are doing everything they can, while 23 percent don't know.

In regards to overall governance, cybersecurity policies and defences were cited as the number one corporate governance technological challenge and opportunity faced by leadership teams around the world.

However, only 21 percent of senior leadership and boards are briefed on risk topics at every senior leadership meeting, while only 33 percent of organisations assess risk related to technology use on a monthly or more frequent basis.

What is encouraging, is that many leadership teams are prioritising and increasing funding for cybersecurity and risk management programs.

  • 48 percent will prioritise funding expansion in cyber defence improvements, more than the number that intend to significantly expand funding for digital transformation (33 percent) and cloud (27 percent)
  • 27 percent also intend to fund increases in spending for security consultants, while 25 percent are going to invest in upgrades to network perimeter defences and 17 percent on cyber insurance
  • The majority (64 percent) have already increased spending on risk management in the past year versus last year, while 33 percent intend to increase spending in enterprise risk management programs over the next 12 months.

The leadership teams are also well aware of internal cyber threats, with 61 percent saying the board or senior leadership team believes there is heightened risk from both internal and external threats.

However, despite all this positive news in terms of awareness, most organisations have no plans to increase funding for training over the next year, with 35 percent intending to invest in data security training for employees, 15 percent on cybersecurity training for board members, and 21 percent on employee privacy training.

And GDPR remains a problem for all, with just 32 percent satisfied with the progress they've made to prepare for the upcoming regulations. 35 percent are unsure about their progress, while 40 percent are taking a wait-and-see attitude to see how GDPR will impact their organisation.

Finally, respondents were asked to name organisations whose boards they believe to be doing an exemplary job of business technology governance. Of the more than 150 companies noted, Microsoft, Google and IBM were most often cited as leading by example.