Chief information security officers (CISOs) in Asia-Pacific often have weaker relationships with their organisations’ board leadership than their global counterparts and find it harder to promote cybersecurity, according to a study released two weeks ago.
Only 18 per cent of Asia-Pacific’s cybersecurity leaders say their boards are likely to boost their budgets in the next three years. Across the world, this is 27 per cent.
The findings are based on a report on the goals, priorities, and business strategies of CISOs and their boards of directors by Splunk, which provides software to analyse corporate data and Oxford Economics, an economics advisory firm.
Currently, fewer Asia-Pacific boards are expected to consider bolstering their cyber programme as a top investment priority for the next year (9 percent of Asia-Pacific CISOs compared to 27 per cent worldwide). Instead, company expansion is the primary objective of 38 per cent of Asia-Pacific CISO respondents.
Despite the uneasy relationship, the report found that CISOs are engaging more with the boardroom, and are more able to make strategic decisions for the business.
Globally, 82 per cent of surveyed CISOs now report directly to the CEO, a significant increase from 47 per cent in 2023.
In addition, 83 per cent of CISOs participate in board meetings often or most of the time. However, only 22 per cent of Asia-Pacific CISOs report that they attend all or most board meetings.
“As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other in order to drive digital resilience,” said Michael Fanning, Splunk’s CISO.
This means CISOs need to understand the business outside of their IT environments and come up with fresh approaches to convince their boards of the value of security efforts to their boards, he noted.
For board members, their job involves committing to a security-first culture and consulting the CISO on enterprise risk and governance issues, he added.
Compliance is another issue that Asia-Pacific businesses have to deal with. Of all regions, the Asia-Pacific region has the greatest percentage of CISOs who claim to have been pressured not to disclose an incident or compliance problem (28 per cent).
This comes as many countries in the region are still developing clear rules for reporting cybersecurity incidents. Compared to other regions, just over 40 per cent of Asia-Pacific firms have established incident reporting procedures.
Notably, only 18 per cent of Asia-Pacific boards report using generative AI for cybersecurity to some degree, which is less than the worldwide average.
That could change soon, however, as 44 per cent of boards plan to use GenAI for cyber defence in the next year, according to the study.
