Despite great burden, cybersecurity chiefs have no direct line to CEOs

Image courtesy of LogRhythm

More than half (55%) of organisations in the Asia-Pacific region has experienced a cyberattack in the last two years and spend an average of  US$17  million each on security activities,” according to a new report from LogRhythm.

Among these firms, 43% believe that IT security leaders should be held most accountable for preventing or mitigating the consequence of a cyberattack, compared to the CEO (18%) or both of them (22%).  

The study was conducted with Ponemon Institute, and covered 1,426 respondents across APAC; Europe, Middle East and Africa; and the United States.

Cybersecurity leaders in APAC assume greater accountability and risk for ensuring a strong security posture in the past year (61%), compared with the global average (56%). 

In particular, cybersecurity leaders in APAC believe that they must contend with risks like phishing and social engineering attacks (61%), ransomware (59%) and device vulnerabilities (58%). 

At the same time, while 60% of respondents believe that cybersecurity leaders should report directly to the CEO, only 6% of security leaders in APAC actually do. 

On average, they are three levels away from the CEO, which poses challenges in ensuring that the leadership have an accurate and complete understanding of security risks facing the organisation. 

Only 37% of respondents in APAC agree that their organisation values and effectively leverages the expertise of their cybersecurity, compared to 43% globally.

This lack of understanding from senior leadership (52%) and executive support (51%)  have subsequently been identified as key factors leading to concerns around job security.  

At a time when the Covid-19 pandemic has brought about new security challenges, 69% of APAC respondents, the highest globally, indicate that their biggest security challenge today is securing the remote workforce. 

The research also revealed that even amid the rising threat of cyberattacks, only 29% of cybersecurity leaders in the region report to the board of directors to brief them on cybersecurity risks. 

Further,  only 43% of them do so reactively after a security incident occurs while 76% of firms also do not have a board-level committee dedicated to cybersecurity threats and issues facing the organisation. 

“Security leaders are assuming more responsibility and bearing more risks but without organisational visibility and a direct line of contact with their CEO and board of directors, they lack the influence to implement a holistic and mature security program,” said Joanne Wong, VP of international markets at LogRhythm.

“It is crucial that organisations recognise the need to adopt cybersecurity priorities as a central plank in their business strategy, and empower their cybersecurity leaders and team with the support and resources they need to safeguard their business effectively,” said Wong.