Boards that struggle with their role in providing oversight for cybersecurity create a security problem for their organizations. Even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. And by not focusing on resilience, boards fail their
companies.
more We surveyed 600 board members about their attitudes and activities around cybersecurity. Our research shows that despite investments of time and money, most directors (65%) still believe their organizations are at risk of a material cyberattack within the next 12 months, and almost half believe they are unprepared to cope with a targeted attack. Unfortunately, this growing awareness of cyber risk is not driving better preparedness. In this article we detail several ways companies can begin to develop better cybersecurity awareness.
Board interactions with the CISO are lacking
Just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs). Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. This means that directors and security leaders spend far from enough time together to have a meaningful dialogue about cybersecurity priorities and strategies. In addition, our research found that while 65% of board members think their
organization is at risk of a material cyberattack, only 48% of CISOs share that view. This communication gap and board-CISO misalignment hinders progress in cybersecurity.
Our findings suggest that the CISO-board disconnect is exacerbated by their unfamiliarity with each other on a personal level (they do not spend enough time together to get to know each other and their attitudes and priorities in a productive way). Also contributing to this disconnect is the CISO’s difficulty in translating technical jargon into business language, such as risk, reputation, and resilience.
To forge strategic partnerships with CISOs, director-CISO engagement between board meetings would enable directors to ask better questions and understand the answers they receive.
Boards focus on protection when they need to focus on resilience
Notwithstanding the high perceived risk, our survey found that 76% of board members believe they have made adequateinvestments in cyber protection. Furthermore, 87% expect their cybersecurity budgets to grow in the next 12 months.
However, their investments may not be in the right areas. In a typical board meeting, the cybersecurity presentations usually cover threats and the actions/technologies the company is implementing to protect against them. For example, in many board meetings, the primary topic is how often the company administers a phishing test and the statistical results. To us, that is the wrong perspective for board oversight. We know we cannot be completely protected, no matter how much money we invest in technologies or programs to stop cyberattacks. While spending resources to protect our assets is critical, limiting discussions to protection sets us up for disaster.
Instead, the conversation needs to focus on resilience. We must assume, for planning purposes, that we will experience a cyberattack of some type, and prepare our organizations to respond and recover with minimal damage, cost, and reputational impact. For example, instead of going into detail in a board
meeting on how our organization is set up to respond to an incident, we must focus on what the biggest risk might be and how we are prepared to quickly recover from the damage should that situation happen.
To change their focus to resilience as the primary goal of cybersecurity, directors could ask their operating leaders to create a vision for how the company will respond and recover when an attack occurs. Minimization of the possibility of a successful cyberattack in the first place should only be the secondary goal.
