Some 54% of UK and US cybersecurity leaders have complained that their boards aren’t providing enough funding for vital initiatives, according to new research from Encore.
The cybersecurity consultancy polled 100 C-level executives, 100 CISOs and 500 workers on both sides of the Atlantic to better understand how aligned security teams are with business leaders.
Its report, The State of Cybersecurity 2022: A CISO’s Perspective, revealed that although 50% of boards across both regions claim to have cybersecurity at the top of their agenda, over 60% of CISOs feel unsupported.
It’s argued that boards fail to invest properly until an incident has already happened. This kind of piecemeal and reactive approach to security is the opposite of the proactive, strategic stance that leading organizations adopt.
In fact, more than one in 10 C-level executives surveyed still only discuss cybersecurity once a breach has occurred.
“C-level hesitance to invest more in cybersecurity makes it near impossible for CISOs to answer the hard question ‘are we safe?’ and ensure risk is properly managed and worth the investment,” said Encore co-founder Brendan Kotz.
“Security officers not only have to defend the business against a vast amount of known and unknown attacks, but they’re also being asked to stake personal reputation when there is a lack of board confidence in the controls themselves, never mind the operation or compliance of those controls.”
The findings chime with a Trend Micro study from earlier in the year, revealing that only 50% of IT leaders believe the C-suite completely understands cyber risks.
In addition, 82% of IT decision-makers said they’ve felt pressured to downplay the severity of cyber risks to their board, while 90% claimed their business would be willing to compromise on cybersecurity in favor of digital transformation or other goals.