Posted 30 Jan. 2021

40% of boards will have dedicated cybersecurity committees by 2025 — Gartner

Laurent Halimi blog profile image

By Laurent Halimi

There will be a surge in dedicated cybersecurity committees in organisations across the world in the next few years, according to new data released today from Gartner.

According to the analyst firm, 40% of boards of directors will feature such a committee, overseen by a qualified board member, by 2025. This is up from less than 10% today.

It’s just one of many steps expected to be taken by organisations in response to greater risk created by the expanded digital footprint of organisations during the pandemic.

The perception and acknowledgement of this risk is such that cybersecurity-related risk is rated by several boards of directors as the second-highest source of risk for the enterprise (behind regulatory compliance risk).

Despite this, many executives surveyed by Gartner are not confident that their organisations are adequately secured against cyber-attacks.

“To ensure that cyber risk receives the attention it deserves, many boards of directors are forming dedicated committees that allow for discussion of cybersecurity matters in a confidential environment, led by someone deemed suitably qualified,” says Gartner research director Sam Olyaei.

“This change in governance and oversight is likely to impact the relationship between the board and the CISO.”

CISOs will also have more significant roles within the context of the wider company, and will be expected to establish critical partnerships with executives in sales, finance and marketing. Gartner predicts 60% of CISOs will take on this extra responsibility — up from less than 20% today.

“Effective CISOs realise that heads of sales, marketing and business unit leaders are now key partners as the use of technology and, subsequently, the incurrence of risk happens outside of IT,” says Olyaei.

Cyber, physical and supply chain security converge

For asset-intensive enterprises such as utilities, manufacturers and transportation networks, security threats targeting cyber-physical systems present an increased risk to the organisation, Gartner says.

Bad actors increasingly target weaknesses wherever they are, as demonstrated by the surge in ransomware affecting organisations’ operational systems and recent supply chain attacks.

The siloed nature of today’s security disciplines then becomes its own risk and a liability to the organisation, and the IT-centric focus of most security teams needs to expand to include threats in the physical world.

Gartner predicts that by 2025, 50% of asset-intensive organisations will converge their cyber, physical and supply chain security teams under one chief security officer role that reports directly to the CEO.

Remote work can improve access to IT security talent

Gartner research conducted pre-COVID-19 found that 61% of organisations surveyed struggled to find and hire security professionals.

“As organisations shifted to remote working in response to the pandemic, it proved that some, if not all, security capabilities could be delivered remotely,” says Gartner senior research director Richard Addiscott.

This includes security monitoring/operations, policy development, security governance and reporting, security awareness, and incident response via dispersed teams. 

“Cybersecurity teams can work remotely and still provide effective capabilities.”



40% of boards will have dedicated cybersecurity committees by 2025 — Gartner