Boards of Directors Are Driven Primarily by Compliance, Not Fear

Posted on by Ryan Stolte

Cybersecurity and risk are hot topics in the boardroom. Board members are increasingly asking CISOs to explain how they are protecting the company so that they can make informed cybersecurity decisions. In June 2016, we released a report, How Boards of Directors Really Feel About Cyber Security Reports that illustrated the increasing pressure for CISOs to present understandable and actionable information to the board. Board members said that cyber risk was the highest priority outweighing other operational risks such as financial, legal, regulatory and competitive risks. 

complianceThat finding surprised us because it seemed to be an abrupt shift in the board’s mindset from just a couple years prior. So we produced another report—What’s Driving Boards of Directors to Make Cyber Security a Top Priority?—to dive deeper into board members’ minds. The report is based on survey, conducted by Osterman Research, asking 126 board members who are actively serving on boards of enterprises, why they are making cybersecurity a top priority. 

Once again, we were surprised. We expected the majority of board members to say the continuous barrage of high profile data breaches were the number one driver, however the majority of board members said complying with regulatory requirements was the number one driver, an 11-fold increase from just two years ago. I was uplifted to see that boards are taking regulations seriously, even though, as the report also reveals, a growing proportion of companies struggle to satisfy their cyber security mandates. Nearly 60 percent of board members expressed that mandates are “somewhat” or “very” difficult to satisfy—a number that has increased by almost 20 percent from 2014 to 2016. At the same time, only five percent of board members felt that these same regulations are not at all sufficient to protect corporate data assets. This suggests that people believe in the guidance and are making legitimate attempts to mature their capabilities accordingly.

We also asked board members about where cybersecurity sat on the priority list two years ago compared to today. The results confirmed there has been a mindset shift. The number of board members who rated cybersecurity as a low priority decreased from 48 percent in 2014 to 14 percent today, a 34 percent change. The statistics show a significant uptick in how important cybersecurity has become.

One more statistic that stood out in this latest report is that three out of five board members believe that one or more of their fellow board members should be a CISO or some other type of cybersecurity expert. As cybersecurity has evolved into a top boardroom issue, a communication gap between board members and CISOs has surfaced. While board members speak the language of risk, CISOs speak the language of technology. Merging the two is a work in progress however ultimately both parties should be adopting a risk-based approach to security. That means identifying where companies most valued systems and applications live, the threats and vulnerabilities that could lead to a compromise of those assets, and taking mitigation action accordingly.

Overall, as our reports indicate, boards of directors, and therefore the companies they govern, are headed in the right direction when it comes to protecting their crown jewels. They are making cybersecurity a top priority more so today than ever before, driven mainly by compliance requirements instead of fear. They also want to better understand cybersecurity issues and bridge the communication gap by mandating a cyber expert joins the board. 

While the findings are positive, as with all things cybersecurity related, there’s always more work to do. As board members noted, compliance requirements are increasingly more difficult to satisfy. That may be because there are growing variety of requirements, or because organizations are making a serious attempt to implement them as best practices instead of just ticking the box. While compliance provides a good baseline for data protection, it should be treated as a baseline, not a finish line. Companies should always be identifying and remediating the threats and vulnerabilities that put their most critical assets at risk. They should always understand their cyber risk posture and be able to report their current state of risk to boards, auditors and others who need it.

It’s encouraging to see board members making cybersecurity a top priority. Now it’s time for everyone else to do the same. 

Ryan Stolte

Co-founder and Chief Technology Officer , Bay Dynamics

Business Perspectives

risk management

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community