4 ways security has failed to become a boardroom issue

New research finds that despite being more engaged with cybersecurity, business executives and board members continue to view cybersecurity as a technology domain rather than a business concern.

Somewhere around 2015, the security industry adopted a new mantra, “cybersecurity is a boardroom issue.”  This statement was supported by lots of independent research, business press articles, webinars, local events, and even sessions at RSA and Black Hat crowing about the burgeoning relationship between CISOs, business executives, and corporate boards.

Has anything really changed since then?

To find out, ESG surveyed 365 senior business, cybersecurity, and IT professionals at organizations in North America (US and Canada) and Western Europe (UK, France, and Germany) working at midmarket (i.e., 100 to 999 employees) and enterprise-class (i.e., more than 1,000 employees) organizations.

As it turns out, there’s good news and bad news here.  The good news is that cybersecurity is indeed a boardroom level issue.  The bad news is that we are nowhere near where we should be.  For example:

• Cybersecurity is still perceived as primarily a technology issue. Twenty-eight percent of respondents believe cybersecurity is entirely a technology area, while 41% say that cybersecurity is mostly a technology area with some emphasis on the business aspects of cybersecurity.  Alarmingly, 11% still think of cybersecurity as a regulatory compliance area alone.  All of this means that boardroom-level discussions about cybersecurity center on things like open software vulnerabilities and numbers of incidents detected rather than securing customer communications, getting employees onboard, or building cyber-resilience into critical applications and business processes.  Same old priorities with a few more discussions.