Enterprise Strategy Group | Getting to the bigger truth.

R ESEARCH HIG HLIG HTS

Cybersecurity in the
C-suite and Boardroom
Jon Oltsik, Senior Principal ESG Analyst, ESG Fellow

november 2020

© 2020©by2020
Theby
Enterprise
The Enterprise
Strategy
Strategy
Group,Group,
Inc. AllInc.
Rights
All Rights
Reserved.
Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 2

Contents

Research Objectives 3

Research Highlights 4

Cybersecurity is still largely perceived as a technology area. 6

Cyber-risk management is increasing. 9

Corporate boards are getting more engaged with cybersecurity

but still have a long way to go. 12

Enterprise cybersecurity programs remain uneven. 15

Organizational cybersecurity gaps remain. 17

There is plenty of room for improvement. 21

Recommendations 23

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Cybersecurity in the C-suite and Boardroom 3

This study sought to:

Research Objectives
Explore the role of cybersecurity
As organizations embrace digital transformation initiatives, business outcomes become
in the business.
inexorably linked to technology areas like application development, cloud computing, and IoT
devices. Therefore, these technology assets must be protected to ensure continuity of business
operations. The link between cybersecurity and the business has led to an industry declaration
that, “Cybersecurity is a boardroom issue.” This statement is true yet simplistic. Executives Uncover where progress is being made and
and corporate directors have a fiduciary responsibility to shareholders and/or owners, so they areas that need more focus and investment.
are ultimately responsible for everything that drives the business, including managing cyber-
risk and safeguarding business-critical technology assets. That said, cybersecurity can be a
highly technical discipline. This brings up a few questions: Do executives really understand
cybersecurity and its role in the business? And as technology further dominates the business Examine the relationships between security
landscape, are they investing appropriately in cybersecurity and driving a cybersecurity culture and business executives.
throughout their organizations?

To explore the answers to these and other questions, ESG surveyed 365 senior business,
cybersecurity, and IT professionals at organizations in North America (US and Canada) and Compare the actions of leading organizations
Western Europe (UK, France, and Germany) working at midmarket (i.e., 100 to 999 employees) with those that lag behind.
and enterprise-class (i.e., more than 1,000 employees) organizations.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 4

Research Highlights

69+31+U
Cybersecurity is still largely perceived as a technology area.

69% Sixty-nine percent of business and technology leaders believe that cybersecurity is entirely or mostly a technology area with little or no linkage to the business, while
another 11% equate cybersecurity with regulatory compliance. Additionally, many organizations rate themselves as only adequate or poor in areas like their executives’
commitment to cybersecurity and treating cybersecurity as a critical component of business strategies. In aggregate, the research indicates that most organizations
don’t strive for “good security,” but rather they settle on “good enough” security.

82+18+U
Cyber-risk management is increasing.

82% To manage risk, organizations piece together aspects of multiple frameworks, models, and services such as the NIST cybersecurity framework, ISO 31000, and the Factor
Analysis of Information Risk (FAIR). Despite these guidelines, however, 82% of organizations claim that cyber-risk has increased over the past 2 years due to factors like
increasing cyber-threats, greater integration of technology within the business, and a growing attack surface.

85+15+U
Corporate boards are getting more engaged with cybersecurity but still have a long way to go.

85% Many board members are more active with cybersecurity education, leading to a situation where 85% of corporate boards are more engaged in cybersecurity than they
were two years ago. Still, many boards must be drawn into cybersecurity through some type of catalyst, like new regulatory compliance requirements, the introduction
of a new cybersecurity program, or in reaction to a data breach in the organization’s industry.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
 Cybersecurity in the C-suite and Boardroom 5

Enterprise cybersecurity programs remain uneven.

When senior business, cybersecurity, and IT managers stack ranked aspects of their organization’s cybersecurity program,
engineering and SDLC, endpoint security, and third-party risk management were the most immature areas. Organizations are
investing in program areas like IT operations, cloud security, and information security. In other words, they don’t seem to be intent
on improving the immature areas of their programs.

Organizational cybersecurity gaps remain.

Despite CISOs and CIOs typically having a close relationship, nearly half of respondents claim that the relationship between
security and IT teams is only somewhat well aligned or not very well aligned. While security and IT do relatively well in collaborating
on security technology deployment and IT infrastructure, they aren’t nearly as well coordinated in areas like application security,
DevOps, or end-user support. Other corporate executives are often only somewhat involved or not very involved in other areas of
cybersecurity like establishing a cybersecurity culture or prioritizing security investments.

There is plenty of room for improvement.

Respondents had plenty of suggestions for improving the alignment of cybersecurity and the business like bringing the
security team into business planning, increasing cybersecurity training for board members and executives, and improving
data analysis for decision support.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 6

Cybersecurity is still
largely perceived as
a technology area.

©© 2020
2020 byby The
The Enterprise
Enterprise Strategy
Strategy Group,
Group, Inc.
Inc. AllAll Rights
Rights Reserved.
Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 7

Cybersecurity Remains a Technology

Area, but There Is Some Slow and
Steady Progress
“ A majority of survey respondents say that their
organization perceives cybersecurity as either entirely or
mostly a technology area with some emphasis on business.

A majority of survey respondents say that their organization

| How cybersecurity is viewed.
perceives cybersecurity as either entirely or mostly
a technology area with some emphasis on business.
Furthermore, 11% equate cybersecurity to a regulatory Entirely as
Entirely
a technology
as a technology
area area 28% 28%
compliance area.

ESG finds this a disheartening metric that characterizes this Mostly asMostly
a technology area but area
as a technology with but
some emphasis
with on the on the
some emphasis
41% 41%
research study. One would think that with nearly universal businessbusiness
aspects of cybersecurity
aspects of cybersecurity
adoption of new digital transformation applications and
business processes, cybersecurity would be considered a As a regulatory compliance
As a regulatory area
compliance area 11% 11%
technology and business area, but only 15% of respondents
believe this is the case.
As a technology
As a technology and business
and business area
area about about equally
equally 15% 15%
There is a bit of positive news hidden within this data as 60%
of respondents see cybersecurity playing a business role,
albeit a minor one in most cases. Cybersecurity remains a Mostly asMostly as a business
a business area but area
with but
somewith some emphasis
emphasis on the on the
4% 4%
second-class citizen, but it does appear to be making slow technology aspects of
technology cybersecurity
aspects of cybersecurity
and steady progress.
Entirely as a business
Entirely area
as a business area
2% 2%

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 8

A Large Percentage of Organizations Remain Content with ‘Good Enough Security’

Cybersecurity professionals often lament that their organizations don’t want good security; they want “good enough” security. In other words, business executives are only willing to
fund cybersecurity people, processes, and technologies that help the organization comply with regulations and provide basic protection. Unfortunately, ESG’s data indicates that this
minimalist attitude remains persistent in several areas. For example, 41% of organizations rate their C-level executives’ commitment to cybersecurity as only adequate or fair, 43% rate their
organization’s intention to build cybersecurity into business processes and IT initiatives as adequate or fair, and 54% rate their company-wide commitment to cyber-hygiene as adequate,
fair, or poor. Even more telling, non-technical managers having cybersecurity responsibilities is rated adequate, fair, or poor by 69% of organizations.

| Cybersecurity organizational culture.

Very good Adequate Fair or worse

C-level executives’ commitment and buy-in to cybersecurity 58% 31% 12%

Cybersecurity is a critical component of all business decisions, initiatives, etc. 57% 34% 10%

Organization is intent on proactively building security into business processes and technology initiatives 56% 36% 8%

Organization actively monitors and manages cybersecurity metrics 56% 33% 10%

CISO/CSO is perceived as a business and technology executive 52% 37% 11%

Continuous employee awareness training on cybersecurity 50% 40% 10%

Board is actively engaged in cybersecurity status, requirements, investments, etc. 48% 41% 11%

Cyber-hygiene is an ongoing priority company-wide 46% 40% 15%

Board transparently shares cybersecurity information (strategies, metrics, incidents, etc.) with investors 45% 43% 13%

Employees' commitment and buy-in to cybersecurity 44% 44% 12%

Non-technical managers have cybersecurity responsibilities 29% 49% 21%

0% 20% 40% 60% 80% 100%

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 9

Cyber-risk management
is increasing.

©© 2020
2020 byby The
The Enterprise
Enterprise Strategy
Strategy Group,
Group, Inc.
Inc. AllAll Rights
Rights Reserved.
Reserved. Back to Contents
 10

“
Cybersecurity in the C-suite and Boardroom

CISOs tend to create their own risk

Organizations Rely on Multiple Risk
Management Standards, Leading to
management guidelines by piecing together
Varied Metrics and Complex Operations industry standard frameworks deemed as the
best fit for their organizations.”
Ask any CISO to identify their primary responsibility and they’ll
likely tell you it is managing and mitigating cyber-risks to
the business. To accomplish this task, organizations employ
numerous frameworks, standards, and services, like the NIST Risk
Management Framework (NIST 800-53), the NIST cybersecurity | Frameworks and standards used to benchmark cyber-risk.
framework, or security scorecards and rating services.

Based on qualitative interviews conducted for this project, CISOs NIST risk management framework 44%
tend to create their own risk management guidelines by piecing
together industry standard frameworks deemed as the best fit NIST cybersecurity framework 43%
for their organizations. While this can help them categorize and
manage cyber-risk, it also creates a customized risk management Security rating service scores, reports, etc. 40%
framework, making it more difficult to input external data or
compare internal and external risk factors. Each CISO seems to ISO 31000 38%
have their own preferred cyber-risk management model, so each
time an organization changes its security executive, it begins COSO enterprise risk management framework 37%
anew with cyber-risk management and an associated enterprise
cybersecurity program. Factor analysis of information risk 31%

CISOs should network with other industry security executives in CIS top 20 controls 26%
pursuit of a more universal cyber-risk management standard.
Heat maps/heat mapping 24%

OCEG “Red Book” 16%

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
 41+41+18U
Cybersecurity in the C-suite and Boardroom 11

Cyber-risk Is Increasing

82%
Cyber-risk is much greater than it was 2 years ago, 41% Due to External Factors
and Business Practices
Cyber-risk is somewhat greater today than it was 2 years ago, 41%

A vast majority of organizations (82%)

believe that cyber-risk has increased
over the past two years. What’s behind
| Drivers of heightened cyber-risk levels. this increase? Survey respondents point
top 3 to an increase in cyber-threats, a greater
dependence on technology for new types
There are more cyber-threats today 42%
of business processes, and an increasing
attack surface, among others.
My organization’s business processes are more dependent on technology 35%
As cyber-risks rise, it’s important to make
My organization has deployed more assets so our attack surface is greater today 33%
sure that business and IT initiatives are
Executives and the board of directors have become more engaged in cyber-risk supported by the right level of security
28% oversight and controls. Why? Digital
management, which has increased our focus on cyber-risk
transformation initiatives are often built on
My organization has more regulatory compliance requirements today 28% new technologies like microservices, utilize
IoT devices, change rapidly, and collect and
My organization is more reliant on SaaS providers for its business applications 28% process large data repositories, introducing
One or several organizations in my industry have suffered cyber-attacks, new security vulnerabilities. Given this
28% situation, a targeted attack could lead to
increasing our focus on cyber-risk
business disruption or a costly data breach.
My organization has established more third-party relationships 25%
Mitigating these risks depends upon strong
My organization suffered a cyber-attack, increasing our focus on cyber-risk 17% cooperation between business, IT, and
My organization hasn’t established a strong cybersecurity culture, resulting in security teams from the initial planning
14% stages of digital transformation projects.
increased cyber-risk

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
 Corporate boards are
getting more engaged
with cybersecurity but still
have a long way to go.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 13

“
Cybersecurity in the C-suite and Boardroom

51% of organizations say that their

board of directors engages in some type of
Nearly Half of Corporate continuous cybersecurity education.
Boards Engage in Continuous
Cybersecurity Education
| Board of directors’ level of engagement with cyber education.
One or several corporate board members
have some knowledge and experience 1% 1%
4% 1% 1%
with cybersecurity, and just more than 4%
half (51%) of organizations say that their 8% Yes, the board is engaged in continuous cybersecurity education
8%
board of directors engages in some type Yes, the board is engaged in continuous cybersecurity education
of continuous cybersecurity education.
Yes, the board pursues cybersecurity education sporadically
Usually, this is the CISO’s responsibility, Yes, the board pursues cybersecurity education sporadically
but some organizations bring in outsiders
for board-level cybersecurity education. No, but the board is planning to engage in some level of
ESG believes this is a best practice that No, but the board iseducation
cybersecurity planning to engage in some level of cybersecurity education
should be emulated broadly. 51%
51%
No, but the board is interested in engaging in some level of
No, but the board is interested in engaging in some level of cybersecurity education
cybersecurity education
35%
35% No, and there are no plans for or interest in doing so
No, and there are no plans for or interest in doing so

Don'tDon't
knowknow

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 14

45+40+15U
The board of directors is much more engaged with cybersecurity

85%
status, decisions, and strategy than it was 2 years ago, 45%

The board of directors is somewhat more engaged with cybersecurity

Corporate Boards Have
status, decisions, and strategy than it was 2 years ago, 40% Become More Engaged
with Cybersecurity
A majority (85%) of organizations say
| Reasons for more cyber-engaged boards of directors. that their board is more engaged with
cybersecurity today than it was two years
The board has become better educated about cyber-risks 48% ago for several reasons. First, boards are
more educated on cybersecurity than in
My organization has to comply with more regulatory compliance requirements 47% the past. When board members are more
educated, they ask tougher questions,
dig into issues, and make the leap from
My organization created a formal enterprise cybersecurity program 37%
cybersecurity to business issues. Aside
from this proactivity, however, corporate
Another organization in my organization’s industry suffered a data breach in that time 29% boards often lead more passively
to cybersecurity through regulatory
My organization hired a new CSO/CISO in that time 28% compliance requirements, the introduction
of a cybersecurity program (by the CISO), or
A technically savvy person joined the board in that time 27% an industry data breach. Rather than wait
to be drawn in, corporate boards at leading
organizations are driving this agenda on
My organization suffered a data breach in that time 22%
their own.
My organization hired a new CEO in that time 18%

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
 Enterprise
cybersecurity
programs remain
uneven.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Cybersecurity in the C-suite and Boardroom 16
Information security 40%
| Most mature cybersecurity
program disciplines. Security operations 36%
Maturity Levels of Cybersecurity Cloud security 34%
Program Areas Vary, as Do the IT operations 32%

Subsequent Investment Levels Network security 27%

Application security 22%

An enterprise cybersecurity program should include Database administration 21%

multiple areas with focus and investment skewed Governance, risk, and compliance 19%
to areas that support business operations. When Securing business operations associated with revenue protection 18%
asked which program areas are most mature, 40%
Third-party risk management/vendor risk management 15%
of respondents identified information security (i.e.,
protecting the confidentiality, integrity, and availability Endpoint security 14%
of sensitive data), 36% said security operations (i.e., Engineering and SDLC 9%
threat prevention, detection, and response, etc.),
and 34% pointed to cloud security (i.e., security of
cloud-based applications, data, and workloads).
Alternatively, the least mature areas were third-party | Investment priorities Cloud security 15%
risk management, endpoint security, and engineering/
for cybersecurity Information security 15%
secure development lifecycle (SDLC).
program disciplines. IT operations 14%

Given the proliferation of cloud-native applications Security operations 14%

and remote workers, it would be safe to assume that Business operations and revenue protection 12%
organizations are investing in these areas, but the data
Network security 7%
indicates that this is not the case, as investments are
focused on more mature categories like IT operations Governance, risk, and compliance 5%

(16%), cloud security (15%), information security (14%), Database administration 4%

and security operations (14%). CISOs and business Engineering and SDLC 4%
managers must do more to align investments to acute
Endpoint security 4%
security needs that impact the business in the short
and long term. Application security 4%

Third-party risk management/vendor risk management 3%

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
 Organizational
cybersecurity
gaps remain.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Cybersecurity in the C-suite and Boardroom 18

Security and IT Are Not

Well Aligned at Almost Half
of All Organizations
“ Nearly half (45%)
of respondents say security and IT teams
are only somewhat well-aligned.”

While the research indicates that CISOs | Alignment between IT and cybersecurity groups.
work more closely with CIOs than any
2%
other executives, security and IT teams 2%
don’t always do as well. Nearly half (45%)
of respondents say these two groups are
only somewhat well-aligned (i.e., security is Very well-aligned: security is part of IT project planning,
Very well-aligned:and
implementation, security is part of IT project planning,
operations
sometimes but not always part of IT planning, implementation, and operations
implementation, and operations), and 2%
said security and IT were not well-aligned
at all. This lack of alignment is especially
concerning as these two groups must 45% Somewhat well-aligned: security is sometimes but not always part
collaborate in areas that could impact the 45% 53% Somewhat
of IT projectwell-aligned: security is sometimes
planning, implementation, but not always part
and operations
business like protecting critical IT assets, 53% of IT project planning, implementation, and operations
monitoring activities, and mitigating risk.

Not well-aligned: security is rarely part of IT project planning,

Not well-aligned:and
implementation, security is rarely part of IT project planning,
operations
implementation, and operations

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 19

| Areas of greatest synergy between IT and cybersecurity groups.

IT and Cybersecurity
Cooperation Is Skewed
Security technology
Security technology selection,selection, deployment,
deployment, and operations
and operations 41%
41%
Toward Fundamental Areas
Infrastructure
Infrastructure security
security and and operations
operations 36%
36%

ESG’s research also reveals that security and

Digital transformation
Digital transformation initiativesinitiatives 30%
30% IT groups work best together in areas like
security technology selection, deployment,
Identity
Identity and accessand access management
management 25%
25% and operations, and infrastructure security
and operations. This isn’t surprising as
Policy creation,
Policy creation, management,
management, and enforcement
and enforcement
security and IT teams have been doing
25%
25%
things like configuring servers, deploying
firewalls, and inspecting network traffic for
Vulnerability
Vulnerability scanning/patch
scanning/patch management
management 22%22% over 20 years. What’s concerning, however,
is that security and IT teams aren’t nearly as
Insider
Insider threat threat management
management 20%20% coordinated with other requirements like
DevOps, end-user support, and application
Incident response
Incident response
development/testing. Furthermore, only
20%20%
30% of respondents say that IT and security
teams work best on digital transformation
Application
Application development
development and testing
and testing 19% 19% initiatives. This is somewhat alarming as
digital transformation initiatives drive modern
End-user End-user
support support 18% 18% businesses, so security and IT teams should
be tightly coordinating activities from the
DevOps DevOps 17% 17%
onset of all projects.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
 Cybersecurity in the C-suite and Boardroom 20

Executives Remain Cursory to Cybersecurity Activities

When it comes to executive involvement in cybersecurity, there is good and bad news. The good news is that a majority of organizations continue to invest in cybersecurity as other
ESG research indicates that more than 60% increased their security budgets in 2020.* The bad news? This ESG research project reveals that between 45% to 60% of executives are only
somewhat involved, not very involved, or not at all involved in many critical cybersecurity activities. For example, executives are somewhat involved, not very involved, or not at all involved
in reviewing metrics and KPIs across the entire security program. So, while organizations are investing in cybersecurity, executive teams know little about ROI on security technologies.

The data also reveals an alarming trend that executives are only somewhat involved, not very involved, or not at all involved in establishing a cybersecurity culture at their organization.
Lacking this, cybersecurity will remain a technology-centric requirement rather than a crucial aspect of a 21st century business. This situation will only improve if business executives
champion cybersecurity throughout the organization, where every employee believes they have a role in protecting the organization. This starts at the top, driven by CEOs and
corporate directors.

| Level of executive involvement in cyber activities.

Very involved Somewhat involved Not involved
Very involved Somewhat involved Not involved

Establishing cybersecurity budgets 54% 37% 10%

Establishing cybersecurity budgets 54% 37% 10%

Establishing a culture
Establishing of cybersecurity
a culture of cybersecurity 50%
50% 36% 36% 15% 15%

Prioritizing investments
Prioritizing investments 48%
48% 39% 39% 13% 13%

Reviewing
Reviewing cybersecurity
cybersecurity projects
projects 47%
47% 43% 43% 10% 10%

Monitoring
Monitoring the the threat
threat landscape
landscape 44% 40% 40% 15%
44% 15%
Reviewing metrics and KPIs across the entire security program 40% 48% 12%
Reviewing metrics and KPIs across the entire security program 40% 48% 12%
0% 20% 40% 60% 80% 100%
0% 20% 40% 60% 80% 100%

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
 There is plenty
of room for
improvement.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Cybersecurity in the C-suite and Boardroom 22
| Actions likeliest to improve cybersecurity and business alignment.

Involve the security team in business planning, major

33%
initiatives, software development, etc., earlier in the process
What Can Be Done to Improve
Improve/increase cybersecurity training/education for
Cybersecurity Alignment with business executives and/or corporate boards
33%

the Business? Improve our data collection, processing, and analysis to

32%
better track, analyze, and make decisions about cyber-risk

Increase the frequency of meetings between the CISO and

26%
When it comes to the relationship between cybersecurity executives and/or the corporate board
and the business, results are mixed. Corporate boards and
executives are more educated and involved than they were Adopt a cybersecurity standard/framework 22%
in the past while CISOs are more actively participating in
business planning and strategy. Alternatively, business
Formalize the cybersecurity program 20%
executive and board involvement in cybersecurity seems
cursory at best at most organizations.
Hire service providers to review the cybersecurity program
18%
and suggest areas for improvement
Survey respondents pointed to numerous ways for their
organizations to bridge the business/cybersecurity gap. Create and staff a new BISO role in key lines of business,
For example, one-third suggested getting the security 18%
divisions, etc.
team more involved with business planning and major
IT initiatives earlier in the process, 33% recommended Institute cybersecurity metrics for line-of-business owners 18%
improving/increasing cybersecurity training/education
for business executives and corporate boards, and 32%
proposed improving data collection, processing, and Define formal cybersecurity metrics/KPIs 18%
analysis to improve cyber-risk management.
Move security personnel into business units 13%

Hire a new CISO with more of a business focus 12%

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom Cybersecurity in the C-suite and Boardroom 23

Recommendations

Institute the right reporting structure.

Forty-five percent of CISOs report to CIOs while 42% report to CEOs. Through its data analysis, ESG
discovered that a CISO to CEO reporting structure is a best practice for leading organizations. This makes
sense as a direct reporting structure means more cybersecurity exposure for CEOs and more business input
for the cybersecurity team. Thus, this is a good place for organizations to start.

Formalize the cybersecurity program.

Too many cybersecurity programs are haphazard and technically focused. To align cybersecurity and the
business, cybersecurity programs must be top-down, formalized and documented, and highlighted by KPIs
and established metrics. This will help CISOs better communicate with business executives about the role of
cybersecurity in the business using a common language.

Employ BISOs.
Note that 18% of organizations say that they would better align cybersecurity and the business by creating
a BISO role in key LOBs and divisions. ESG agrees. A business executive with cybersecurity knowledge could
drive security at a granular level into business processes, critical assets, sensitive data, and employee roles.
This would also help align security with business productivity.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. © 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 24

Trend Micro, a global leader in cybersecurity, helps make the world safe for exchanging digital information. Leveraging over
30 years of security expertise, global threat research, and continuous innovation, Trend Micro enables resilience for businesses,
governments, and consumers by providing connected security across the IT infrastructure.

LEARN MORE

About ESG
Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm
that provides market intelligence and actionable insight to the global IT community.

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
Cybersecurity in the C-suite and Boardroom 25

Research Methodology
To gather data for this report, ESG conducted a comprehensive online survey of senior business, cybersecurity, and IT professionals from private- and public-sector organizations in
North America (United States and Canada) and Western Europe (UK, France, and Germany) between September 28, 2020 and October 24, 2020. To qualify for this survey, respondents
were required to be senior business, cybersecurity, and IT professionals personally responsible for or familiar with their organization’s environment and strategy. All respondents were
provided an incentive to complete the survey in the form of cash awards and/or cash equivalents.

After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on a number of criteria) for data integrity, we were left
with a final total sample of 365 senior business, cybersecurity, and IT professionals.

Respondents by Number of Employees Respondents by Age of Company Respondents by Industry

20,000 or more,
8% More than 50 1 to 5 years, 4% Other, 13%
10,000 to 19,999, 500 to 999, 18%
6% years, 16%
Manufacturing,
Government, 1%
26%
Communications &
6 to 10 years, 23% media, 3%

5,000 to 9,999, Business services,

17% 4%

21 to 50 years, Technology, 10%

24%

1,000 to 2,499,
32% Financial, 18%
Healthcare, 12%
2,500 to 4,999,
19% 11 to 20 years, Retail/wholesale,
32% 13%

© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved. Back to Contents
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by
ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in
whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will
be subject to action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.
© 2020 by The Enterprise Strategy Group, Inc. All Rights Reserved.