Digital Transformation
Underfunded and Unaccountable: How a Lack of Corporate Leadership is Hurting Cybersecurity
Cyber risks are spiralling out of control, with Trend Micro blocking 161 billion threats in 2023 alone, a 10% annual increase. As organisations pursue digital transformation, their expanding digital attack surfaces attract cybercriminals who easily exploit vulnerabilities. This has prompted global regulators to push for greater accountability from business leadership in managing cyber risks.
Cyber risks are spiralling out of control, with Trend Micro blocking 161 billion threats in 2023 alone, a 10% annual increase. As organisations pursue digital transformation, their expanding digital attack surfaces attract cybercriminals who easily exploit vulnerabilities. This has prompted global regulators to push for greater accountability from business leadership in managing cyber risks.
In the US, the SEC now mandates disclosure of significant cybersecurity incidents and requires organisations to detail their risk management processes, including management and board roles. Similarly, the EU's NIS 2 directive mandates management approval of cyber risk measures, oversight of implementation, and specialised security training, with personal liability for severe breaches.
A survey by Sapio Research of 2,600 IT leaders across various regions indicates that regulators are justified in their stringent stance on boardroom accountability. Many organisations lack the resources and strategic leadership necessary for effective cybersecurity.
The cyber threat landscape is constantly evolving, driven by a lucrative cybercrime ecosystem worth trillions of dollars. Emerging AI tools amplify these threats, while security teams, facing a global shortfall of nearly four million professionals, struggle to keep up. Digital investments increase attack surfaces and create new skills challenges for IT teams.
Our research reveals that 96% of IT leaders are concerned about their attack surface, with nearly 40% struggling to discover, assess, and mitigate high-risk areas. Additionally, 19% lack a unified view of their cybersecurity posture due to tool bloat and siloed solutions.
Leadership issues exacerbate these problems. Nearly half (48%) of respondents believe their leadership does not see cybersecurity as their responsibility. There is no consensus on who should mitigate business risk: 42% point to the CEO, 34% to the CIO, 26% to the CISO, 20% to the CFO, 16% to the COO, and 14% to the CMO. This lack of clarity leads to inconsistent policies and a lack of strategic vision, with over half (54%) reporting fluctuating organisational attitudes towards cyber risk.
The consequences of lacking accountability are severe. Significant gaps in cyber-resilience include insufficient staffing for 24/7/365 coverage (only 36% have adequate staff), poor attack surface management (35%), and not following regulatory frameworks like the NIST Cybersecurity Framework (34%). Such deficiencies increase the risk of financially and reputationally damaging breaches. In the US alone, data compromises reached an all-time high last year, affecting over 353 million victims.
Boards often act only after significant financial losses, averaging £133,500. With more regulations and potential criminal liabilities on the horizon, business leaders must take decisive action now to manage cyber risk effectively. The time to act is not after a breach but now, before the next cyber catastrophe strikes.