45 percent of cyber security professionals believe their board of directors have a major gap in their understanding of cyber risk, or simply don’t understand the risk at all. This is despite over half (54 percent) of boards being ultimately accountable for the cyber strategy. This is according to the second annual Harvey Nash / PGI Cyber Security Survey, representing the views of almost 200 senior cyber security professionals.
The survey also reveals that lack of cyber risk awareness affects the senior executive team: one third of cyber professionals (33 percent) believe their CEO has major knowledge gaps and almost half (49 percent) believe so for their CFO. CMOs, many of whom have increasing responsibility for customer data and driving customer facing digital strategies, were also rated poorly in the survey, with 43 percent of cyber professionals believing they had major knowledge gaps, and one in ten (11 percent) believing they had no cyber risk awareness at all.
Whilst most cyber professionals feel their organizations have the basics covered, 85 percent still think there is more to do, and one quarter (26 percent) believe there is significantly more work to do.
The top three factors holding back the cyber security strategy were: budget (selected by 57 percent); security aware culture (49 percent) and understanding of the real threat (43 percent).
The survey also reveals that four in ten (38 percent) of cyber leaders believe they lack the internal skills to achieve their security strategy. The skillsets most in demand were senior or business focused, rather than technical, with 50 percent citing they lacked security architects, 43 percent lacking training and awareness skills and 38 percent lacking project managers and leaders.
About the survey
The Harvey Nash / PGI Cyber Security Survey represents the views of 176 senior information security professionals. 16 percent of respondents were CISO, 27 percent were head of infosec or security manager and 9 percent were CIO. The remaining 48 percent were spread between a range of roles including IT leaders with responsibility for security, security specialists and senior management.