ARN

Business leaders get serious about cyber

However, only 12 per cent of boards of directors have a dedicated board-level cyber security committee.
  • Leon Spencer (New Zealand Reseller News)
  • 25 November, 2021 12:09

It seems cyber security is finally taking its rightful place as one of the top boardroom priorities among business leaders globally, with close to 90 per cent of boards of directors viewing security as a business risk, not just a technology risk.  

This is according to new research by analyst firm Gartner, which found that 88 per cent of boards surveyed indicated they viewed cyber security as a business risk. Gartner’s research captured hundreds of respondents in Asia Pacific, the US and Europe.

The delineation between thinking of information security as a business risk versus a technology risk is important, with the former more likely to play a more guiding role in how an organisation runs its business, end-to-end.  

It also means that the allocation of resources for cyber security specifically is likely to be more closely in line with other business costs. This could be good news for managed security service providers (MSSPs), which are frequently engaged to augment organisations’ internal cyber capabilities.  

But not all is rosy, according to Gartner, which claims that only 12 per cent of boards of directors have a dedicated board-level cyber security committee.

“It’s time for executives outside of IT to take responsibility for securing the enterprise,” said Paul Proctor, distinguished research vice president at Gartner.

“The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve.”

Paul Proctor (Gartner)Credit: Supplied
Paul Proctor (Gartner)

Indeed, Gartner’s research has found that in 85 per cent surveyed of organisations, the CIO, CISO or the equivalent was the top person held accountable for cyber security, with just 10 per cent of organisations holding non-IT senior managers accountable.

“IT and security leaders are often considered the ultimate authorities for protecting the enterprise from threats,” said Proctor. “Yet, business leaders make decisions every day, without consulting the CIO or CISO, that impact the organisation’s security.”

As such, Gartner hopes to encourage CIOs and CISOs to ‘rebalance’ accountability for cyber security so that it is shared with business and enterprise leaders.  

On the upside, 66 per cent of CIOs intend to increase cyber security investments in the coming year, according to separate research by the analyst firm.

At the same time, however, Gartner’s projections also show that overall growth in cyber security spend is likely to slow through 2023.

“After years of such heavy investment in security, boards are now pushing back and asking what their dollars have achieved,” said Proctor.

“CIOs and CISOs must leverage their expertise to increase transparency around investment and risk, to drive shared accountability for security across the business,” he added.

As reported in April, fellow analyst firm IDC reckons that security hardware, services and software in the Asia Pacific region will reach US$23.1 billion this year. 

The anticipated security investment throughout the region in 2021 represents an increase of 12.6 per cent over the previous year, according to IDC's figures.

Moreover, IDC said it expects investment on security related products and services to grow at a five-year compound annual growth rate (CAGR) of 13.3 per cent over the forecast period, from 2019 to 2024, and reach US$35 billion by 2024.

A combination of factors is driving the growth, including increased cloud adoption, unprecedented work from home migration and transformation projects by enterprises to overcome operational challenges.  

“2020 defined the importance of digital for everyone globally, but it also highlighted shortcomings in security strategies,” said IDC Asia Pacific trust, security and blockchain research vice president Simon Piff. “While leading organisations are starting to adopt a more platform-based approach, the majority are still buying point-solutions to address specific concerns. 

“This majority needs to change their mindset and invest more strategically into their security architectures,” he added.