Global CISOs are routinely belittled and dismissed as being overly negative by their board, according to new Trend Micro research highlighting a “credibility gap” within the function.
The security vendor polled 2600 IT leaders with responsibility for cybersecurity to compile its latest report, The CISO Credibility Gap: How a Communication Breakdown in the Boardroom is Hurting Cyber-Resilience.
It revealed that CISOs are failing to win the trust of business leaders. Of those interviewed, 79% claimed they have felt boardroom pressure to downplay the severity of cyber-risks facing their organization.
Of these:
- 43% said it is because they are seen as being “repetitive” or “nagging”
- 42% claimed that they are viewed as overly negative
- 33% have been dismissed “out of hand” by the board
This matters, because an unengaged board is less likely to think of cybersecurity in strategic terms. A third (34%) of responding CISOs claimed cyber is still treated as part of IT rather than business risk in their organization.
Unengaged or disinterested boards also tend to eschew proactive investments in cyber – leading ultimately to breaches and rash, reactive spend to shore up defenses, the report argued.
Read more on CISO-board alignment: UK Boards Are Growing Less Concerned About Cyber-Risk
Some 80% of respondents claimed that the board would only be incentivized to act decisively on business risk if a breach occurred. They estimated that, on average, a financial loss of £150,000 would be enough to nudge the C-suite into action.
“On the other hand, when they are able to align cyber with business strategy, the benefits are clear,” the report continued. “Half (46%) of respondents say that when they have been able to measure the business value of their cybersecurity strategy, they’ve been viewed with more credibility.”
Over two-fifths of respondents said they have been given more budget (43%) and responsibility (45%) as a result, with a similar share (41%) reporting that they’ve been brought into senior decision making.