The 2022 Gartner Board of Directors survey revealed that around 88% of boards view cybersecurity as a business risk, not a technical issue. In 2024, 38% of executives believe security is critical for enterprise and revenue growth. However, Paul Proctor, distinguished VP analyst at Gartner, said that boards have no idea in governing cybersecurity as a business issue, and executives have no idea in guiding cyber investment as a business issue.
"Bottom line, no one can explain the business value of security control to your CFO, so we can't have an adult conversation about business led investment in security. The world's in a very bad place because of that. Cybersecurity has been a board level issue for more than 15 years. Now, in that time, I've reviewed more than a thousand board presentations and met with dozens of boards on cybersecurity," Proctor posits.
He concludes: "we need smarter money. Not just more money. Boards have no idea how to treat cybersecurity as a business decision. They treat security like magic and security people like wizards that, you know, cast protection spells. And if something goes wrong, we blame the wizards."
Proctor explores how cybersecurity leaders can communicate the risks, value and cost of cybersecurity to their CEOs and other executives in order to work towards more effective outcomes.
The episode features:
- The state of cybersecurity decision making.
- Outcome driven metrics.
- Revolutionising measurement, reporting, and investing in security.Â
Originally posted on Gartner.
