Trend Micro has revealed that European business and IT leaders are more likely than their North American peers to view cybersecurity as part of the business mission — but that there’s still plenty of room for improved alignment.
The Trend Micro-sponsored research was conducted by the Enterprise Strategy Group
It found that 73% of European respondents today view cybersecurity partially or entirely as a business area, versus just 58% in North America. In addition, 80% of European organisations indicated that most (47%) or some (32%) of their board members are knowledgeable about cybersecurity.
What’s more, things are improving, with 82% claiming that the board is somewhat or much more engaged with security than it was two years ago.
This is good news as, when board members are more educated and engaged, they ask tougher questions, dig into issues, and make the leap from cybersecurity to business issues, the report noted.
However, there’s still a long way to go: less than half of European respondents rated their C-level executives’ commitment to cybersecurity (49%) or their organization’s intention to build cybersecurity into business processes and IT initiatives (45%) as adequate or fair. Over half (56%) rated their company-wide commitment to cyber-hygiene as adequate, fair, or poor.
By minimising their commitment to cybersecurity, boards can inadvertently increase risk and make the deployment of security controls more complex and costly than they need to be. This comes at a time when 77% of European respondents believe cyber-risk is increasing, primarily due to escalating threat levels.
European organizations are also more mature than their North American counterparts in areas like GRC (29% versus 15%) and third-party risk management (22% versus 13%). However, they are not investing in application security (3%), security engineering/SDLC (6%), or endpoint security (5%) despite the renewed focus on these areas since the start of the pandemic.
“The GDPR has forced closer collaboration between cybersecurity and the business among European organisations, as this study clearly shows. But while this is laudable, it’s disappointing to see areas like application and endpoint security still being neglected,” said Camilla Currin, Cybersecurity Consultant at Trend Micro. “These will be crucial for organisations to drive the kind of secure digital transformation projects on which post-pandemic growth must be built. The first stage is getting the board to understand the strategic criticality of cyber to business success.”
The report makes the following recommendations to improve cyber-business alignment:
·Create a Business Information Security Officer (BISO) role to drive security into business processes, critical assets, sensitive data, and employee roles
·Change the reporting structure so that the CISO reports directly to the CEO, for greater exposure and alignment
·Formalise and document a top-down cybersecurity programme highlighted by KPIs and established metrics, to help CISOs better communicate with business executives