88% of board of directors find cybersecurity as business risk

New Delhi: Nearly 88 per cent of boards of directors view cybersecurity as a business risk as opposed to a technology risk. However, only 12 per cent of them have a dedicated board-level cybersecurity committee, according to a new report.

Even as business leaders are aware of the need to secure the enterprise against new and evolving threats, responsibility for security mostly lies with IT leadership, says global market research firm Gartner.

Gartner found that in 85 per cent of organisations, the CIO, CISO or their equivalent was the top person held accountable for cybersecurity and just 10 per cent of organisations held non-IT senior managers accountable.

"It's time for executives outside of IT to take responsibility for securing the enterprise," said Paul Proctor, distinguished research vice president at Gartner.

"The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve," he added.

IT and security leaders are often considered the ultimate authorities for protecting the enterprise from threats.

"Yet, business leaders make decisions every day, without consulting the CIO or CISO, that impact the organisation's security," Proctor stressed.

CIOs and CISOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders, the report mentioned.

Gartner recommended that IT and security leaders work with executives and board of directors to establish governance that shares responsibility for business decisions that affect enterprise security.

"After years of such heavy investment in security, Boards are now pushing back and asking what their dollars have achieved," said Proctor.