More than 90% of senior business leaders agree that strong technology governance contributes to improved business outcomes and increased agility, according to ISACA’s latest research, “Better Tech Governance Is Better for Business.”
Despite recognising the link between governance and outcomes, a governance gap still exists, with 69% reporting that their leadership and board of director teams need to establish a clearer link between business and IT goals.
The data delves into corporate governance of all things digital, increased responsibilities and funding priorities as well as asking if boardrooms are doing all they can to plan, train, fund and safeguard their organisation’s digital assets.
“The boardroom must become hyper-vigilant in ensuring a tight linkage between business goals and IT goals, fully leveraging business technology to improve business outcomes while diligently safeguarding the organisation’s digital assets,” says Matt Loeb, CEO of ISACA. “The message from our research is clear: there is much work to do in information and technology governance. Committing to a boardroom with technology savvy and experience strongly represented provides the needed foundation for organisations to effectively and securely innovate through technology.”
Not all executive teams and boards walk the walk in matters of digital security. Data shows:
Only 55% say their organisation’s leadership team and board are “doing everything they can” to safeguard their organisation’s digital assets and data.
21% don’t think their leadership team and board are “doing everything they can” to safeguard their organisation’s digital assets and data, and 23% neither agree/disagree or don’t know.
As a part of overall governance, cybersecurity policies and defences were cited as the number one corporate governance technological challenge and opportunity faced by senior leadership teams globally. Yet:
Only 21% of senior leadership and boards are briefed on risk topics at every senior leadership meeting.
Only one-third of organisations assess risk related to technology use on a monthly or more frequent basis.
Many leadership teams are prioritising and increasing funding for cybersecurity and risk management programs:
Almost half (48%) of leadership teams will prioritise funding expansion in cyberdefence improvements, beating the number that intend to significantly expand funding for digital transformation (33%) and cloud (27%).
Leadership teams also intend to fund increases in spending for security consultants (27%), upgrades to network perimeter defences (25%), and cyberinsurance (17%).
Well over half (64%) of organisations have already increased spending on risk management in the past year versus last year, and 33% intend to increase spending in enterprise risk management programs over the next 12 months.
Leadership teams recognise that internal cyberthreats are as real as external ones:
61% say the board or senior leadership team believes there is heightened risk from both external and internal risks.
Despite the widely recognised importance of cybersecurity, most organisations are not planning to increase funding for training over the next year:
35% of respondents intend to increase spending in data security training for employees.
15% of respondents intend to increase spending for cybersecurity training for board members.
21% of respondents intend to increase spending for employee privacy training.
The majority of organisations are using some type of governance framework to help address areas like cybersecurity and risk:
ISACA’s industry-leading COBIT governance framework is used by 28% percent of respondents.
Key benefits achieved from using a governance framework include assistance in meeting performance standards and compliance requirements.
Related to privacy, there is still work to be done to prepare for the EU General Data Protection Regulation (GDPR). Specifically, among organiwations affected by GDPR:
Only 32% are satisfied with the progress they’ve made to prepare for GDPR.
More than a third (35%) are unsure of the progress their organisation has made to prepare for GDPR, and 40% are taking a wait-and-see attitude about how GDPR will impact their organisation.