Businesses will have a dedicated cybersecurity committee by 2025

Article, CIO Tech Team , CIO Tech Asia

security 4700815 1280
Board directors rate cybersecurity second-highest source of risk for the enterprise.

By 2025, 40 per cent of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10 per cent today, according to Gartner.

This is one of several organisational changes Gartner expects to see at the board, management, and security team level, in response to greater risk created by the expanded digital footprint of organizations during the pandemic.

According to the Gartner 2020 Board of Directors Survey, cybersecurity-related risk is rated as the second-highest source of risk for the enterprise, following regulatory compliance risk.

However, relatively few directors feel confident that their company is properly secured against a cyberattack.

“To ensure that cyber risk receives the attention it deserves, many boards of directors are forming dedicated committees that allow for discussion of cybersecurity matters in a confidential environment, led by someone deemed suitably qualified,” said Sam Olyaei, research director at Gartner. “This change in governance and oversight is likely to impact the relationship between the board and the CISO.”

During the pandemic in 2020 businesses and governments across industries were made vulnerable by the need to expand security for the network beyond the preliminary boundaries of physical offices.

According to organisations like Cisco, 2020 highlighted the need for to examine corporate privacy practices worldwide, which found enhanced importance of privacy protections during the pandemic and increasing benefits for businesses that adopt strong privacy measures.

Cisco’s newly released report 2021 Data Privacy Benchmark Study, showed at a time of disruption and uncertainty due to the pandemic, people have been suddenly expected, and at times required, to share their personal information to help curtail the spread of COVID19.

At the same time, people have shifted much of their lives online, accelerating a trend that normally would have taken years. These mass-scale shifts in human interaction and digital engagement presented many challenging data privacy issues for organisations who aim to follow the law, stop the spread of the pandemic, while also respecting individual rights.

Consumers and the general public are growing increasingly concerned about how their personal data is being used.

Privacy is much more than just a compliance issue as businesses now see it as a fundamental human right and a mission-critical C-suite priority.

Privacy and the larger cybersecurity ecosystem will play a key role in the road to economic growth and COVID-19 pandemic recovery. As economies and communities begin to recover, many important challenges will arise that will test how governments, companies, and individuals collect, manage and protect personal data while balancing individual rights with public interest.

Privacy investment continues to be attractive, with 75 per cent of organisations seeing significant business value in terms of mitigating security losses, enhanced agility, and innovation, improved operational efficiency, and improved customer loyalty and trust. Over one-third of organizations are getting benefits at least twice their investment.

About 60 per cent of organisations say they weren’t prepared for privacy and security requirements involved in the shift to remote work

  • 93 per cent of organisations turned to their privacy teams to help navigate these challenges
  • 87 per cent of consumers expressed concerns about the privacy protections of the tools they needed to use to work, interact and connect remotely
  • 90 per cent of organisations now reporting privacy metrics to their C-suites and boards

While CISOs should experience more scrutiny as a result, they are also likely to receive more support and resources, according to Gartner. They must also expect executive conversations to shift away from performance and health-related discussions to risk-oriented and value-driven exercises.

Gartner also predicts that by 2024, 60 per cent of CISOs will establish critical partnerships with key executives in sales, finance, and marketing, up from less than 20 per cent today.

“Effective CISOs realise that heads of sales, marketing and business unit leaders are now key partners as the use of technology and, subsequently, the incurrence of risk happens outside of IT,” said Olyaei.

According to the Gartner CISO Effectiveness Index, top-performing CISOs regularly meet with three times as many non-IT stakeholders as they do IT stakeholders; and they meet with them more frequently than bottom performers.

Cyber, physical and supply chain security converge

For asset-intensive enterprises such as utilities, manufacturers and transportation networks, security threats targeting cyber-physical systems present an increasing risk to the organization.

Bad actors increasingly target weaknesses wherever they are, as demonstrated by the surge in ransomware affecting organizations’ operational systems and recent supply chain attacks.

The siloed nature of today’s security disciplines then becomes its own risk and a liability to the organisation, and the IT-centric focus of most security teams needs to expand to include threats in the physical world.

Gartner predicts that by 2025, 50 per cent of asset-intensive organizations will converge their cyber, physical and supply chain security teams under one chief security officer role that reports directly to the CEO.

Remote work can improve access to IT security talent

Gartner research conducted pre-COVID-19 found that 61 per cent of organizations surveyed were struggling to find and hire security professionals.

“As organisations shifted to remote working in response to the pandemic, it proved that some, if not all, security capabilities could be delivered remotely,” said Richard Addiscott, senior research director at Gartner. “This includes security monitoring/operations, policy development, security governance and reporting, security awareness, and incident response via dispersed teams. Cybersecurity teams can work remotely and still provide effective capabilities.”

As a result, Gartner predicts that by 2022, 30 per cent of all security teams will have increased the number of employees working remotely on a permanent basis.

Gartner recommends that security and risk leaders consider adapting their operating models and expand their job advertising to gain access to candidates residing outside of their organisation’s traditional recruitment geographies.

The 2021 Gartner Board of Directors Survey was conducted via an online survey from May through June 2020 with 265 respondents in the US, EMEA and APAC in a board of director role or a member of the corporate board of directors.