Boards struggling with their role in providing cybersecurity oversight are creating security problems for their organizations. Although boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. And by not focusing on sustainability, boards are failing their companies.
We surveyed 600 board members about their attitudes and activities around cybersecurity. Our research shows that despite investing time and money, the majority of directors (65%) still believe their organizations are at risk of a material cyber attack within the next 12 months, and almost half believe that they are not ready to cope with. a targeted attack. Unfortunately, this growing awareness of cyber risk is not driving better preparedness. In this article we detail several ways companies can begin to develop better cybersecurity awareness.
Board interactions with the CISO are lacking
Only 69% of the responding board members have seen their chief information security officers (CISOs). Less than half (47%) of members serving on boards regularly interact with their CISOs, and nearly a third of them only see their CISOs at board presentations. This means that directors and security leaders are spending far enough time together to have a meaningful dialogue about cybersecurity priorities and strategy. Additionally, our research found that while 65% of board members think their organization is at risk of a material cyberattack, only 48% of CISOs share the same view. This communication gap and board-CISO misalignment hinder cybersecurity progress.
Our findings suggest that the CISO-board disconnect is exacerbated by their unfamiliarity with each other on a personal level (they do not spend enough time together to get to know each other and their attitudes and priorities in a productive way). Also contributing to this disconnect is the CISO’s difficulty translating technical jargon into business language, such as risk, reputation, and stability.
To form strategic partnerships with CISOs, director-CISO engagement between board meetings enables directors to ask better questions and understand the answers they receive.
Boards focus on protection when they should be focusing on durability
Despite the high perceived risk, our survey found that 76% of board members believe they have made sufficient investments in cyber protection. Additionally, 87% expect their cybersecurity budgets to grow over the next 12 months.
However, their investments may not be in the right places. In a typical board meeting, cybersecurity presentations usually cover the threats and the actions/technologies the company has implemented to protect against them. For example, in many board meetings, the main topic is how often the company conducts a phishing test and the statistical results. To us, that is the wrong perspective for board management. We know that we are not completely protected, no matter how much money we invest in technologies or programs to stop cyberattacks. While spending resources to protect our assets is important, limiting defense discussions is setting us up for disaster.
Instead, the conversation should focus on strength. We must assume, for planning purposes, that we will experience some type of cyberattack, and prepare our organizations to respond and recover with minimal damage, cost, and reputational impact. For example, instead of detailing in a board meeting how our organization is set up to respond to an incident, we should focus on what the greatest risk is and how we are prepared to quickly recover from the damage if that happens. situation. .
To change their focus on resilience as the primary goal of cybersecurity, directors can ask their operating leaders to create a vision for how the company will respond and recover in the event of an attack. Reducing the likelihood of a successful cyber attack in the first place should only be a secondary objective.
Boards view cybersecurity as a technical topic, but it has become an organizational and strategic imperative
Only 67% of board members believe that human error is their biggest cyber vulnerability, even though World Economic Forum findings show that human error accounts for 95% of cybersecurity incidents. This may be an indication that other boards do not see the organizational risk they face. Additionally, half of survey participants value the CISO’s cybersecurity expertise the most, followed by technical expertise (44%) and risk management (38%). This suggests that although cybersecurity topics may have made it onto the agenda, the board still sees them as technical issues.
If boards view cybersecurity only as a technical topic, it can be a very useful topic for attention in their meetings. Time is limited in board meetings, which makes it difficult to cover all the nuances necessary for proper management. Directors may avoid asking difficult questions because they feel they do not know enough about the technical concepts to properly articulate the question or even to understand the answer. Viewing cybersecurity as an organizational issue changes the discussion from a technical to a management challenge. If cybersecurity is viewed as an organizational strategic imperative, it may be relevant for board-level discussion.
Boards should ask questions like, “What is the technical risk to our business from potential cybersecurity incidents?” “What are we doing in terms of preventing any harm that results from realizing that risk?” “What is the risk to the organization from potential cyber incidents and what are we doing to quickly recover from the consequences?” And, “What is the supply chain risk from potential cybersecurity incidents and what are we doing about it so we don’t lose a day of production?”
The composition of most boards today creates more fragility when it creates stronger handling
Many of the boards we study are comprised of highly experienced executives, whether retired or not, who have extensive experience in operations, finance, sales, and their respective industries. But few have cybersecurity knowledge or experience. By 2022, the SEC is proposing clearer recommendations for cybersecurity risk management, governance, and disclosure for public companies, and it is expected that these proposals will become mandatory. That means boards should have clearer cybersecurity risk management and include clear cybersecurity expertise on the board.
Many former executives were leaders before the current cybersecurity environment, and may not bring expertise, or even a method to acquire that expertise, to their boards. It is not that they are not suitable executives to serve as directors without such skills, but the board should develop these skills in general. Directors must bring more than technical expertise to the boardroom. They also need to understand the environment, financial structure, tradeoffs, and risk portfolio of the business. Finding new board members who bring the right mix of cybersecurity expertise and business acumen is difficult.
To bring cybersecurity expertise to the boardroom, the composition of the board may need to change. Board members may need to acquire cybersecurity expertise through regular conversations about cybersecurity risk, training, and development programs, and adding partners with very different business and professional background than the current board members.
Failing to show that cybersecurity is a priority for the board sends an unwanted message
Our research found that nearly a quarter of boardrooms don’t view cybersecurity as a priority, and many don’t even discuss the topic regularly. Some boards only have one cybersecurity update presentation per year, and that presentation is usually focused on how well protected the organization is. That is not enough.
Making cybersecurity a priority for the board is a commitment, not just an annual update. This means talking about it at every board meeting, getting updates between meetings, asking questions outside of what was presented, and taking a personal interest (such as securing themselves, bringing cyber questions and / or sharing stories, creating heroes from those who show the characteristics that the board wants to see, etc.).
For example, what message would be sent to the executive leadership of the organization if, at every board meeting the members recognize an exemplary “hero” who has personally done something to increase the stability/security of the company? On the flip side, if the board doesn’t step up their game by showing how important cybersecurity is to them, intentionally or not, they’re signaling that cyber isn’t a priority.
Directors’ personal actions send messages to senior leaders. By making cybersecurity a personal priority through actions and investments of time and attention, directors show how important it is.
The boards knew they had to do something different. SEC recommendations codify that knowledge. The headlines increasingly highlight the consequences of bad cybersecurity practices. Board members with experience in cybersecurity are trying to get their fellow members’ attention on it. And board members want to provide oversight, even if they don’t have the right questions to ask. Boards should discuss the risks that cybersecurity poses to their organization and review plans to manage those risks. With the right conversations about keeping the company strong, they can take the next step to provide adequate cybersecurity oversight.
