A new Gartner report finds that 88% of boards of directors say cybersecurity is a business risk, but just a fraction of those have a dedicated board-level cybersecurity committee.
While nearly 9 out of 10 boards say cybersecurity is a business risk as opposed to a technology risk, just 12% have a dedicated board-level cybersecurity committee, meaning they aren’t elevating cybersecurity as a critical executive function.
Still, responsibility of cybersecurity lives mostly within IT and IT leadership, the survey suggests.
According to Gartner, the CIO, CISO or their equivalent was the top person held accountable for cybersecurity in 85% of organizations, while just 10% of organizations held non-IT senior managers accountable.
IT and security leaders are tasked with protecting the enterprise, but business leaders make decisions every day that could impact the organization’s security.
Gartner calls on organizations to rebalance accountability for cybersecurity so it is shared with business and enterprise leaders. Further, the technology research and consulting firm says organizations should have IT and security leaders work with executives and boards to establish governance that shares responsibility for business decisions that affect enterprise security.
This comes after recent Gartner research finds that 66% of CIOs plan to increase cybersecurity spending in the coming year, but that growth will slow through 2023.
Now, boards are pushing back and asking what their dollars have achieved, said Paul Proctor, distinguished research vice president at Gartner, in a statement.
With security budgets set to shrink after several years of heavy investment, IT leaders will need to collaborate closely with executive leadership to reframe cybersecurity in a business context.
Proctor, citing the influx of ransomware and supply chain attacks, calls on executives outside of IT to take responsibility for securing the enterprise. Cybersecurity is now a business issue, not just another IT ticket.
“CIOs and CISOs must leverage their expertise to increase transparency around investment and risk, to drive shared accountability for security across the business,” said Proctor.