CISOs in enterprises are regularly asked to share insights on the cybersecurity status of the organization and to discuss security recommendations
A new study has found that although several chief information security officers (CISOs) offer direct advice to company directors, there is a lack of dedicated investment in cybersecurity. According to the report by Kaspersky, 89% of CISOs say their leadership asks them to provide recommendations for the business. However, half of the enterprises still lack dedicated cybersecurity investment. Also, various companies force their IT departments to share their budgets with other sectors. Around 55% of survey respondents said they have to share their organization’s IT budget.
The report surveyed 305 respondents that have senior or executive responsibility for cybersecurity in enterprises, globally. The higher-level management seeks advice from IT security leaders regardless of the organization’s reporting structure, with only 23% reporting to the board, found the report. Sixty percent of respondents said that business leaders garner input from their CISOs most often in the case of an internal cybersecurity incident. Moreover, executives are also proactive about cybersecurity at all times.
Fifty-seven percent of the surveyed IT security chiefs schedule meetings with the board regularly. Meanwhile, 56% are asked to provide their expert opinions on future IT projects. As per the report, CISOs struggle while justifying necessary spending on IT security even though they are valuable to the board.
The report found that one of the top three challenges faced by 43% of surveyed respondents is in the idea of being in direct competition with other business and IT initiatives. Veniamin Levtsov, VP of Corporate Business, at Kaspersky stated in the report that the board understands that cybersecurity is an essential part of business success. However, most CISOs still struggle to convert this understanding into actual support.
Some of the vital components for leadership buy-in are – explaining details in business language instead of using technical jargon, solving problems, and bringing in third-party expertise to justify meaningful measures.
Read Also: Rationalizing Cyber Security Solutions