Even though nearly all businesses have experienced some kind of security breach in the last two years, a new survey of IT decision-makers has found that nearly half believe their board is still not making cybersecurity a significant enough priority.
Fully 82 percent of businesses had been breached in the previous two years, according to Fortinet’s recent Global Enterprise Security Survey, but 48 percent of surveyed IT decision makers said their company boards still weren’t treating cybersecurity as a top priority.
Fully 77 percent believe the board should put more scrutiny on IT security. “As organizations now embrace digital transformation and turn to technologies like the cloud, cybersecurity is no longer just an IT investment but a strategic business decision,” said Fortinet senior executive vice president of worldwide sales and support Patrice Perche in a statement.
“In today’s digital economy, I expect the trend we’ve seen at the board level to accelerate with security being treated as a top priority within an organisation’s broader risk management strategy. By doing so, companies will be in a better position to succeed in their digital transformation efforts.”
Perche’s comments echo a recent analysis by Gartner, which noted that despite progress in furthering overall cybersecurity awareness most CISOs were still going to struggle pushing their agendas on their own. By 2020, the analyst firm warned, information-security programs sponsored by the IT organisation will suffer significant breaches three times as frequently as those sponsored by business leaders.
“Boards are now taking a greater interest in security and risk,” analyst Kasey Panetta wrote. “This means there is a greater onus on security to translate the work they’re doing into a business context. Without the communication there is a misalignment between security and what’s going on in the rest of the organization.”
Yet many board members are paying attention to cybersecurity for reasons that are very different to those of CISOs. Notably, the respondents to the Fortinet survey generally believed that the transition to the cloud – and not the fact that they are already being breached – would ultimately push boards to be more engaged around IT security.
Cloud migrations were cited as the key motivator by 77 percent of respondents, while just 49 percent said board members were motivated by reports of high-profile attacks like WannaCry ransomware.
Just 35 percent said compliance and regulatory concerns were motivating board members to be more diligent around security. Ultimately, the implementation of better cybersecurity policy and awareness is an ongoing process, ISACA CEO Matt Loeb recently told CSO Australia.
“At the end of the day, cybersecurity ties back to some basic things that all organisations should be focused on,” he said, “which is good governance of their information and technology.”
ISACA has been working on a CMMI-inspired framework that will help IT leaders couch cybersecurity in terms that facilitate meaningful discussions around cybersecurity with board members.
“Many organisations are taking steps to improve this, but because of the reluctance around information sharing and the chaotic nature of the space, many organisations don’t have a good foundation for technology or governance embedded.”