Despite the growing cybersecurity risks in the enterprise, only 38% of CEOs and 23% of board members are “highly engaged” in cybersecurity, according to a recent report from Deloitte.

In the report, 96% of both CEOs and board members said they believe their organizations will face security threats and disruptions over the next two to three years, but they’re not necessarily prioritizing their resources accordingly. Chuck Saia, CEO of Deloitte Risk and Financial Advisory at Deloitte & Touche LLP, said in a press release that these executives might see threats on the horizon, but fail to understand their interconnectedness.

“Many are still using traditional approaches, tools, and technologies to detect and manage threats,” Saia said in the release. “Today’s risk environment requires leaders to challenge the status quo, prioritize investments and identify and analyze threats before they emerge. Simply put, accelerating performance and growth requires a different way of thinking about risk.”

SEE: Information security incident reporting policy (Tech Pro Research)

Survey respondents ranked the Internet of Things (IoT) as the biggest threat, and artificial intelligence (AI) in second place. However, the report said, there is often a lack of CEO-board alignment on these issues, and threat reporting is often too technical and detailed for these professionals to fully understand.

While these leaders are strongly focused on digital transformation and disruption, they often aren’t doing enough to protect their brand and reputation in the process. Reputation risk can damage stock prices and more, but only 42% of CEOs and 50% of board members said they had discussed their organizational reputation within the last year. Additionally, 53% of CEOs and 46% of board members weren’t able to identify events that could damage their organization’s reputation.

Another issue faced was that of the extended enterprise–namely, security risks posed by vendors and third parties. Some 62% of CEOs said their third-party partners had weaker security strategies than their own, but only 39% of board members said the same thing, the report said. Leaders mentioned their plans to tackle these issues in-house, but didn’t seem to have much in the works.

One of the most underestimated cybersecurity risks is the risk to culture. The report defines culture as “a system of values, beliefs, and behaviors that shapes how things get done within an organization.” Risk pops up when the organization’s values are misaligned with the actions of employees or leadership, and not properly checking the health of culture can be detrimental to a business.

The big takeaways for tech leaders:

  • Only 38% of CEOs and 23% of board members are “highly engaged” in cybersecurity, despite the growth of threats and risks. — Deloitte, 2018
  • IoT and AI are the two biggest risks to cybersecurity strategies in the enterprise. — Deloitte, 2018