Companies are expected to place an even bigger emphasis on cybersecurity in the coming years, as four out of every 10 board of directors will have a dedicated cybersecurity committee, according to Gartner.
The prediction from the technology research giant’s 2020 Board of Directors Survey comes during one of the worst periods for cyberattacks in recent history, including the massive SolarWinds compromise and a rise in ransomware. Gartner says the increased risk is in part due to organizations’ expanded digital footprint driven by remote work.
According to Gartner, 40% of boards of directors will have a dedicated cybersecurity committee that will be overseen by a qualified board member. That figure is up from less than 10% today.
Gartner’s survey also found that cybersecurity risk is rated as the second-highest risk of doing business, outdone only by regulatory compliance.
Despite that acknowledgement of the risk, many directors indicated that their company isn’t properly secured.
“To ensure that cyber risk receives the attention it deserves, many boards of directors are forming dedicated committees that allow for discussion of cybersecurity matters in a confidential environment, led by someone deemed suitably qualified,” said Sam Olyaei, research director at Gartner. “This change in governance and oversight is likely to impact the relationship between the board and the chief information security officer (CISO).”
This will also impact the relationship between IT and key executives, as Gartner predicts that by 2024, 60% of CISOs will establish partnerships with executives in sales, finance and marketing. That’s up from just 20% today.
“Effective CISOs realize that heads of sales, marketing and business unit leaders are now key partners as the use of technology and, subsequently, the incurrence of risk happens outside of IT,” said Mr. Olyaei.
The fact that just 20% of IT security chiefs establish partnerships with key stakeholders outside of IT presents a giant issue, for a few key reasons:
- Buy in. If managers and rank-and-file employees don’t see their leaders buying into a cybersecurity mindset, it won’t ever happen. Training and end user adoption is a part of the process, but putting that into constant practice and making it a part of the job will take buy in from everyone – especially at the top.
- Visibility. If IT security leaders aren’t working alongside department leaders, they don’t have visibility into how those departments practice cybersecurity. Doing this gives IT leaders the knowledge and insight into how applications are used and where the legitimate cyber risk presents itself.
- If key IT security leaders establish a presence with other key non-IT stakeholders, this will help bake cybersecurity into every aspect of the business — as it should already be.