Report: 93% of APAC security leaders not reporting to CEOs

More than half of the organisations (55%) in the Asia–Pacific region (APAC) have experienced a cyber attack in the last two years and spend an average of US$17 million each on security activities, according to research from LogRhythm. Of these organisations, 43% of respondents believe that IT security leaders should be held most accountable for preventing or mitigating the consequences of a cyber attack, compared to the CEO (18%) or both the CEO and IT security leader (22%).

The research report, which focuses on the roles and responsibilities of cybersecurity leaders, revealed that APAC cybersecurity leaders assumed greater accountability and risk for ensuring a strong security posture in the past year (61%) compared with the global average (56%). Cybersecurity leaders in this region also believe that they must content with risks like phishing and social engineering attacks (61%), ransomware (59%) and device vulnerabilities (58%).

While 60% of respondents believe that cybersecurity leaders should report directly to the CEO, only 6% of security leaders in the APAC region actually do. On average, they are three levels away from the CEO, which poses challenges in ensuring that leadership has an accurate understanding of security risks facing the organisation.

Without securing buy-in from senior leadership, cybersecurity leaders also struggle to establish authority and establish their desired security posture. In fact, only 37% of respondents in the region state that their organisation values and effectively leverages the expertise of their cybersecurity, compared to 43% globally. Lack of understanding from senior leadership (52%) and executive support (51%) have subsequently been identified as key factors leading to concerns around job security.

This comes at a time when the COVID-19 pandemic has created novel security challenges for cybersecurity leaders. This is particularly salient in APAC, with 69% of respondents (the highest globally) indicating that their greatest security challenge is securing the remote workforce. Across the region, almost 70% of organisations have more than a quarter of their employees and contractors working remotely. This increases the risk to their sensitive data, with respondents attributing this to employees using less secure home networks (71%), family members being allowed to use the work device (65%) and security protocols not being followed (63%).

The research also found that despite the rising threat of cyber attacks, only 29% of cybersecurity leaders in the region report to the board of directors to brief them on cybersecurity risks. Furthermore, only 43% of them do so after a security incident occurs. 76% of organisations also do not have a board-level committee dedicated to cybersecurity threats and issues facing the organisation.

Joanne Wong, Vice President (International Markets) at LogRhythm, said it is crucial for organisations to adopt cybersecurity priorities and empower their cybersecurity leaders with the support and resources they need to safeguard their business effectively.

“In today’s fast-evolving cyber threatscape, security leaders are assuming more responsibility and bearing more risks. However, without organisational visibility and a direct line of contact with their CEO and board of directors, they lack the influence to implement a holistic and mature security program,” said Wong.

The study featured 1426 global respondents, including chief information, technology and security executives located in APAC, EMEA and the United States.

Image credit: ©stock.adobe.com/au/snowing12