54% of CISOs Struggle to Convince Board to Prioritize Cybersecurity Investments
A new report shows that while communication with the board is improving at many organizations, CISOs still struggle to obtain cybersecurity investments.
Chief information security officers (CISOs) play a crucial role in advocating for cybersecurity investments and communicating risk to the board. Although significant progress has been made, 54 percent of surveyed CISOs reported feeling that their board did not provide ample investments in cybersecurity, a survey conducted by Censuswide and commissioned by Encore found.
Researchers surveyed 500 office workers, 100 C-level executives, and 100 CISOS from the UK and the US.
“Chief Information Security Officers (CISOs) are the face of cybersecurity within an organization, and expectations of this role have reached new heights as a result,” the report noted.
“For years, they have been the source of all cyber knowledge, the in-case-of-emergency contact, and the clean-up crew after a breach. The pressure on their shoulders has been—and continues to be—substantial.”
Communicating cyber risk to C-suite executives is clearly improving—only 4 percent of executives said that they did not discuss cybersecurity in the boardroom. However, only half of the surveyed C-suite executives said that cybersecurity was a top priority, and over 60 percent of security leaders reported not feeling supported by the board when it came to mitigating cyber risk.
“The fact that 12 [percent] of C-suite executives still only discuss cybersecurity when a breach occurs, means there is still the attitude of ‘deal with it when it becomes a problem.’ No matter how small the number, if this attitude continues, countless organizations remain at risk,” the report pointed out.
One of the biggest hurdles that CISOs face is effectively communicating cyber risk as a business risk. In addition to focusing on delivering patient care, healthcare organizations are still businesses with financial goals and threats to achieving those goals. Communicating cyber risk reduction as another business deliverable is one way to convey the importance of cybersecurity in familiar terms.
The upfront costs associated with implementing a comprehensive cybersecurity program may be steep, but the price of neglecting cybersecurity is much greater.
“When it comes to the investment side of cybersecurity, there are two ends of the spectrum. There are those who fail to recognize the significance of risk and therefore allocate limited budgets, or those who fail to understand the complexity of risk, so throw money at the problem in the hopes that the technology ‘does what it says on the tin’ or with no real strategy to close the control objective,” the report suggested.
The report showed that 89 percent of C-level executives had an incident response plan in place, but researchers noted that strategies must be employed much earlier to truly strengthen an organization’s security architecture.
“All too often, CISOs and their teams are restricted by siloed security stacks, where breaches can go unnoticed, assets are left unmonitored, and devices remain misconfigured,” the report stated.
To combat these challenges, CISOs should focus on communicating cyber risk as a business risk and educating employees and executives on proper cyber hygiene. A culture of cybersecurity and a sense of shared responsibility can help strengthen an organization’s security posture and alleviate some of the placed on CISOs.