Cybersecurity and risk are hot topics in the boardroom. Board members are increasingly asking CISOs to explain how they are protecting the company so that they can make informed cybersecurity decisions. In June 2016, we released a report, How Boards of Directors Really Feel About Cyber Security Reports that illustrated the increasing pressure for CISOs to present understandable and actionable information to the board. Board members said that cyber risk was the highest priority outweighing other operational risks such as financial, legal, regulatory and competitive risks.
That finding surprised us because it seemed to be an abrupt shift in the board’s mindset from just a couple years prior. So we produced another report—What’s Driving Boards of Directors to Make Cyber Security a Top Priority?—to dive deeper into board members’ minds. The report is based on survey, conducted by Osterman Research, asking 126 board members who are actively serving on boards of enterprises, why they are making cybersecurity a top priority.
Once again, we were surprised. We expected the majority of board members to say the continuous barrage of high profile data breaches were the number one driver, however the majority of board members said complying with regulatory requirements was the number one driver, an 11-fold increase from just two years ago. I was uplifted to see that boards are taking regulations seriously, even though, as the report also reveals, a growing proportion of companies struggle to satisfy their cyber security mandates. Nearly 60 percent of board members expressed that mandates are “somewhat” or “very” difficult to satisfy—a number that has increased by almost 20 percent from 2014 to 2016. At the same time, only five percent of board members felt that these same regulations are not at all sufficient to protect corporate data assets. This suggests that people believe in the guidance and are making legitimate attempts to mature their capabilities accordingly.
We also asked board members about where cybersecurity sat on the priority list two years ago compared to today. The results confirmed there has been a mindset shift. The number of board members who rated cybersecurity as a low priority decreased from 48 percent in 2014 to 14 percent today, a 34 percent change. The statistics show a significant uptick in how important cybersecurity has become.
One more statistic that stood out in this latest report is that three out of five board members believe that one or more of their fellow board members should be a CISO or some other type of cybersecurity expert. As cybersecurity has evolved into a top boardroom issue, a communication gap between board members and CISOs has surfaced. While board members speak the language of risk, CISOs speak the language of technology. Merging the two is a work in progress however ultimately both parties should be adopting a risk-based approach to security. That means identifying where companies most valued systems and applications live, the threats and vulnerabilities that could lead to a compromise of those assets, and taking mitigation action accordingly.
Overall, as our reports indicate, boards of directors, and therefore the companies they govern, are headed in the right direction when it comes to protecting their crown jewels. They are making cybersecurity a top priority more so today than ever before, driven mainly by compliance requirements instead of fear. They also want to better understand cybersecurity issues and bridge the communication gap by mandating a cyber expert joins the board.
While the findings are positive, as with all things cybersecurity related, there’s always more work to do. As board members noted, compliance requirements are increasingly more difficult to satisfy. That may be because there are growing variety of requirements, or because organizations are making a serious attempt to implement them as best practices instead of just ticking the box. While compliance provides a good baseline for data protection, it should be treated as a baseline, not a finish line. Companies should always be identifying and remediating the threats and vulnerabilities that put their most critical assets at risk. They should always understand their cyber risk posture and be able to report their current state of risk to boards, auditors and others who need it.
It’s encouraging to see board members making cybersecurity a top priority. Now it’s time for everyone else to do the same.