Leaders agree that cybersecurity is a business risk, but are they acting on that belief?

Despite nearly unanimous agreement, there's still a lack of clarity on who is accountable for security incidents and whether previous security investments have paid off, a Gartner survey finds.

Financial risk assessment / portfolio risk management and protection concept : Businessman holds a white umbrella, protects a dollar bag on basic balance scale, defends money from being cheat or fraud

Image: William_Potter, Getty Images/iStockphoto

A Gartner survey of the members of various boards of directors finds that, while 88% believe that cybersecurity should be classified as a business risk instead of a technology one, the actions they've taken don't necessarily reflect that.

Organizations that classify cybersecurity as a business risk would naturally have a senior-level non-IT person accountable for it, but only 10% of leaders reported that to be the case in their organizations. 

SEE: Password breach: Why pop culture and passwords don't mix (free PDF) (TechRepublic)

Additionally, the report also found that cybersecurity spending is increasing, but the rate at which it is doing so has slowed, further revealing shifting perspectives on cybersecurity: It's no longer a hole to throw money into, but a business investment that should provide a return. "After years of such heavy investment in security, boards are now pushing back and asking what their dollars have achieved," said Gartner distinguished research VP Paul Proctor.  Despite this, only 12% of respondents said that their boards had a dedicated cybersecurity committee.

Why the disconnect?

Acknowledging the problem is a good first step, and the above statistics indicate that boards are starting to face up to the issue, but that isn't all they have to do. "It's time for executives outside of IT to take responsibility for securing the enterprise," Proctor said.

That means the 90% of businesses without a non-IT senior leader accountable for cybersecurity need to find one, and the 88% that don't have a board-level cybersecurity committee need to start one. 

"For years, boards have treated security like magic and security people like wizards. They give the wizards money to cast technology spells, and if something goes wrong they blame the wizards. This has led to some very bad decisions," Proctor said. 

Jokes aside, Proctor said that the statistics from the study represent a mixture of intentions and reality checks for board members, many who have taken the problem seriously for years but with little desire to know what's actually happening in the occult depths of their server rooms. 

SEE: Google Chrome: Security and UI tips you need to know  (TechRepublic Premium)

"Boards are finally ready to stop treating security like magic, but it will take years to figure out how to actually do that. The secret is to invest in it through a business lens and to balance the needs to protect with the needs to run their business," Proctor said. 

Gartner recommends that IT and security leaders work directly with boards of directors to establish proper governance rules that share responsibility for any business decision that could possibly have an effect on enterprise security. 

If done correctly, Gartner notes, security leaders could even manage to prevent budget cuts thtn are largely an issue of transparency. "CIOs and CISOs must leverage their expertise to increase transparency around investment and risk, to drive shared accountability for security across the business," said Proctor.

Also see