This post was originally published here by (ISC)² Management.
While C-level executives understand the need for cybersecurity as their organizations undergo digital transformation, they aren’t prioritizing it enough, according to a recent Deloitte report based on a survey of 500 executives.
The report, “The Future of Cyber Survey 2019,” reveals a disconnect between organizational aspirations for a “cyber everywhere” future and their actual cyber posture. One area where this is evident is in budgeting, with organizations allocating only 14% of their digital transformation budgets to cybersecurity.
Further evidence is how often cyber appears on the agendas of company board meetings. Cybersecurity makes it to the agenda of 49% of organizations at least quarterly, which is a positive sign, but it also means the remaining 51% of organizations address it less frequently. Only 4% of respondents said cybersecurity appears on their board’s agenda on a monthly basis.
Overall, the report reveals that while organizations are aware of the need for a strong cybersecurity posture, their actions don’t necessarily reflect that need. “There is still much work to do in aligning cyber initiatives to executive management’s digital transformation priorities,” the report says.
As organizations move forward with digital transformation, they should adopt a “cyber everywhere” perspective, with everyone within an organization sharing cybersecurity responsibilities.
“As the world becomes smaller, cyber is getting bigger, and it’s moving in multiple dimensions across multiple disciplines—beyond an organization’s walls and IT environments and into the products it creates, the factories where it makes them, the spaces where its employees conceive them, and where its customers use them,” the report says.
Yet, less than one fifth of organizations (18%) have security liaisons in their business units “to foster greater collaboration, innovation, and security.” Those that do, the report reveals, are more effective in managing cyber risk through collaboration and innovation.
More often, interaction between the cybersecurity team and business units occurs through security assessments (29%) or security steering committees working with business units (29%). About one quarter of organizations (24%) use separate security organizations within each business.
The financial services sector, the survey found, is doing a good job of creating an effective cybersecurity culture by embedding security officers in business units. “Their sole mission is to embed security in new initiatives, manage compliance, and foster collaboration and modernization. This model becomes a catalyst for better efficiency and risk management.”
Breaches Are Common
Nearly all respondents (95%) said their companies have experienced multiple cyber attacks. More than half (57%) said their most recent breach occurred within the past two years, seriously impacting revenue, reputation and leadership stability.
One third of respondents (32%) said their company’s CISO reports to the CEO, which Deloitte found encouraging because its earlier research put the number closer to 20%. Either way, it’s a small percentage. Companies with CISOs reporting directly to the CEO are more likely to have a strong cybersecurity culture.
Overall, the report concludes, organizations need to become more nimble, flexible and collaborative to secure themselves, their employees, customers and partners. For that to happen, C-level executives need to prioritize cybersecurity as their companies transform themselves for a digital future.