While enterprises understand the importance of security, many still might lack a dedicated cybersecurity budget and a relevant culture to address the issue.
According to a recent Sophos report based on a survey of 900 business decision makers across Asia Pacific and Japan, only 34% of organizations have a dedicated cybersecurity budget though 66% believe the lack of security expertise is a challenge for their organisation and 67% see the recruitment of skills a struggle.
The lack of a separate cybersecurity budget
In most cases, their cybersecurity budgets are included as part of other broader IT or other departmental spend, the tech company pointed out.
While it’s still common for businesses to see security as a pure IT responsibility, Chester Wisniewski, principal research scientist at Sophos said everyone—C-level staff—is responsible for security.
Creating a security culture
Senior leaders in an organization need to understand its role in creating a security culture within different teams, he pointed out.
There is a trend in moving security outside of IT and into either an independent function or having it report up through the CIO directly, he observed.
“It’s important that security teams have a seat at the leadership table and aren't reporting into a group whose financial incentive is to proceed with risky projects despite security risks not being addressed,” Wisniewski advised.
The CFO’s role in cybersecurity
When it comes to the finance function, which is a primary target and a regulatory risk for cyber-incidents, he said that the CFO has a real to play in setting the tone for the entire group to take security as a critical function of the finance team.
“The CFO should be coordinating with the security team to identify the latest risks targeting finance professionals, implementing processes and training to help mitigate those risks and establishing procedures to investigate and preserve evidence in case an incident occurs,” he noted.
Asked how C-level executives should work together to influence the cybersecurity culture within an organization, Wisniewski said each of member of the C-suite has to first ask himself or herself which part of the organisation is dependent on IT services and data.
“That's who must support and promote security within their teams,” he pointed out.
While the security group is responsible for monitoring the current threats facing the organization and working to assess the risk and potential solutions and mitigations, the rest of the leadership team must decide how to deal with the risks and work to mitigate them through education, policy, culture and financial support for staff and solutions, he advised.