The Thales 2020 Access Management Index Survey of 300 IT security professionals in the US and Brazil found a huge shift in how ‘easy’ or ‘difficult’ it is for IT departments to sell company Boards on the need for increased IT security resources. In last year’s survey, 44% reported that this was an ‘easy’ sell, while 33% reported it was ‘difficult’. This year, 65% report that it is an ‘easy’ sell, while only 16% report that it is ‘difficult’. 20% report that it is ‘Neither easy nor difficult’.
Top explanations of those who report that it is a ‘difficult’ sell were:
- 48% ‘Priority being placed elsewhere’,
- 47% ‘Budget constraints’,
- 41% ‘The Board think that what we have is adequate’,
- 35% ‘The board doesn’t fully understand the risks of poor IT security’
The survey did reveal some problematic practices. 58% of respondents allow employees to log on to corporate resources using social media credentials.
This survey is in line with the recent trend that more boards are taking cybersecurity more seriously than they have previously and are better informed about the risks companies face. One key takeaway from the survey is that IT specialists report that less than 6% of boards ‘do not fully understand the risks of poor IT security’. The actual number of boards that do not fully understand the risks of poor IT security is much higher.
Convincing managements and boards to take cybersecurity seriously is much less of a challenge than it was even one year ago. The problem that many stakeholders—not just boards, but management, shareholders and regulators as well — still grapple with is how to measure the effectiveness of their cybersecurity initiatives, spending and overall cyber governance. Good cyber governance cannot be achieved simply by increasing IT spend. In fact, significant redundancies in security technologies and the underutilization of tools companies already purchased are issues for many companies. And without standard metrics that help measure cyber governance, similar to metrics that exist for any other business risk, these stakeholders remain without a clear guide about whether they are underinvesting or overinvesting in cyber governance. How much of the budget should be spent on network security? Or the management system? Or security personnel? How would investments in any one area verifiably improve security posture? These questions have largely been the domain of the IT and security team.
To date, boards have not been provided reporting on cyber in tangible, financial terms based on real-time, market-tested, accurate data. Now that is possible. Previously, when board members asked CISOs how the company’s cyber performance compared to peers on an objective basis or how much cyber risk was impacting enterprise value, standard questions for other financial risks, they would have been met with blank stares. Now that information is available in a market-validated form.
It is positive that boards continue to report higher levels of confidence in understanding IT risks and see the value of increasing investment in IT generally at a time when companies depend on digital technology to function now more than ever. This is an indication of the attention being paid to the risk by the board and C-suite. But the confidence is ill-founded at many companies, and it doesn’t have to be.