One global survey asserts that only 6% of APAC CISOs and equivalent leaders had direct access to their chief executive.

A global survey of 1,426 respondents, including chief information, technology and security executives in the United States, Europe Middle East and Africa and the Asia Pacific region has found that 94% of security leaders surveyed in our region did not report directly to their CEO.

The research by LogRhythm has also found that more than half of organizations (55%) in APAC have experienced a cyberattack in the last two years and spend an average of US$17m each on security activities.

Of these organizations, 43% of respondents believed that IT security leaders should be held most accountable for preventing or mitigating the consequence of a cyberattack, compared to the CEO (18%) or both the CEO and IT security leader (22%).  

Who should security leaders report to?

In the study, it was found that cybersecurity leaders in APAC assumed greater accountability and risk for ensuring a strong security posture in the past year (61%), compared with the global average (56%).

Specifically, cybersecurity leaders in this region believed that they must contend with risks like phishing and social engineering attacks (61%), ransomware (59%) and device vulnerabilities (58%). Other findings include:

  • 60% of respondents believed that cybersecurity leaders should report directly to the CEO.
  • 6% of security leaders surveyed in APAC actually did. On average, they were three levels away from the CEO, which posed challenges in ensuring that the leadership had an accurate and complete understanding of security risks facing the organization. 
  • 37% of respondents in the region agreed that their organization valued and effectively leveraged the expertise of their cybersecurity, compared to 43% globally. Some 52% of respondents cited that this resulted in lack of understanding from senior leadership, and 51% cited this caused lack of executive support as key factors leading to concerns around job security. 
  • 69 % of APAC respondent (the highest globally) indicated that their biggest security challenge today was securing the remote workforce. Across the region, close to 70% of organizations had more than a quarter of their employees and contractors working remotely. This posed new threats and increased the risk to their sensitive data, with respondents attributing this to:

    • Employees using less-secure home networks (71%)
    • Family members being allowed to use the work device (65%)
    • Security protocols not being followed closely (63%)
  • 29% of respondent APAC cybersecurity leaders reported to the board of directors to brief them on cybersecurity risks. Furthermore, only 43% percent of them did so reactively after a security incident occurred.
  • 76% of respondents did not have a board-level committee dedicated to cybersecurity threats and issues facing the organization.  

According to the firm’s Vice President (International Markets), Joanne Wong: “In today’s fast-evolving cyber threat-scape, security leaders are assuming more responsibility and bearing more risks. However, without organizational visibility and a direct line of contact with their CEO and board of directors, they lack the influence to implement a holistic and mature security program. It is crucial that organizations recognize the need to adopt cybersecurity priorities as a central plank in their business strategy, and empower their cybersecurity leaders and team with the support and resources they need to safeguard their business effectively.”