Low board engagement, possible ransom bans increase Australian businesses’ cybersecurity risks

If Australia bans insurers from paying ransoms, cybersecurity-ignorant boards will be in for a shock.

A life preserver floats on the water with sharks closing in. [risks / threats / attacks]
Paul Fleet / Getty Images

Security executives have failed miserably to improve their engagement with senior business executives, according to new research that found CISOs continue to operate three levels away from the CEO, on average—threatening board-level shocks as a growing Australian push to ban ransomware insurance threatens to yank away a key risk safety net.

Although 60% of global executives believe security leaders should report directly to the CEO, only 6% actually do so, according to a study by the Ponemon Institute and security vendor LogRhythm assessing security executives’ progress in turning security priorities into business priorities. “Despite respondents having complete ownership or significant influence over an average annual budget of [US$17 million],” the report notes, “most IT security leaders are still not having a direct relationship with the CEO and board of directors.”

And while 55% of organisations said they had suffered a cybersecurity attack in the last two years, the fact that 94% of respondents remain disconnected from the executive suite points to a major gap between theory and action.

The figures come as no surprise to Claire Pales, director of consultancy the Secure Board and co-author, with director Anna Leibel, of a book on the challenges of changing the relationship between security and business executives.

Australian boards not keeping up on cybersecurity

To continue reading this article register now

8 pitfalls that undermine security program success