The C-suite battle for cybersecurity leadership is rife with knowledge gaps, a lack of resources, and disagreements about who is actually in charge of responding to a breach, according to a Monday report from Nominet Cyber Security.

The report surveyed 400 C-suite executives from enterprises in the US and UK. More than three-quarters (76%) of executives said a cybersecurity breach is now “inevitable,” the report found. Despite this, 90% said they believe their company is missing at least one resource that would help them defend against a severe cyber attack.

SEE: You’ve been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)

Senior managers reported a lack of advanced technology (59%), reluctance to accept advice (46%), a lack of budget (44%), and a lack of people resources (41%)—all of which are necessary in a cybersecurity strategy, the report noted.

Confusion remains at the executive level as to who is ultimately responsible for responding to a data breach, according to the report. Some 35% of those surveyed said they believe the CEO is in charge of the business’s response, while 32% said it was the CISO.

The majority of C-suite members (71%) said they have gaps in their cybersecurity knowledge around some of the major cyberthreats facing organizations today, with the most common gaps around malware (78%). This is particularly concerning, as 70% of businesses said they had found hidden malware in their networks, the report found.

When a breach occurs, it is most often first reported to the security team (70%) or the executive/senior management team (61%), as opposed to the board (40%).

One-third of CEOs surveyed said they would terminate the contract of employees who were responsible for a data breach, the report found.

Breach response confusion

In the aftermath of a breach, executives reported confusion in terms of collaborating to resolve the issue, the report found. While 54% of CISOs said they would receive assistance from other members of the C-suite, only 38% of C-suite members said they would work with the security team to solve a security issue.

CISOs also reported confusion over their own role in the workplace. Only half of CISOs said they feel valued by the rest of the executive team, from a revenue and brand protection standpoint. And 18% said they believe the board is “indifferent” to the security team, or even sees it as an inconvenience, according to the report.

However, support for CISOs among the board is actually higher than these professionals perceive, the report found: While CISOs said they think just 52% of their board of directors see them as a “must have,” in reality, 76% do.

The feeling of not being valued can have a damaging impact on the CISO. Some 27% of these professionals said the stress of their job is impacting their physical or mental health, and 28% said the stress levels are having an adverse effect on their ability to do their job.

“It’s good to see that business leaders are aligned on the fact that cyber attacks are pretty much an inevitable part of working life. Acceptance is the first step to protection,” Russell Haworth, CEO of Nominet, said in a press release. “There’s also a dedication to keeping customer and client data safe. But the bad comes with the power struggle at the top, with confusion over who should actually take responsibility in case of a data breach or cyber attack, which is detrimental to the safety and security of the business.”

The disconnect between how valued CISOs feel and how important they are is concerning, Haworth said in the release. “Boards and CISOs need to sit down and agree exactly
what the responsibility of the CISO is, and exactly who’s in charge of the business’ response
to the pervasive cyber threat,” he added.

For more, check out 5 ways for CISOs to show executives real results on TechRepublic.