As our recent webinar discussed, cybersecurity has become a C-suite issue. Any successful attack will need input from all its executive members: the CEO for steadying the ship and communicating to investors and the Board, the CISO, CIO, CFO and COO to respond and deal with the actual breach and ensure business continuity. Then there also is the fine balancing act of strategic PR and media communications.
Consequently, cyberattack resilience and response should be on the agenda of every company’s monthly or quarterly Board meeting. Boards can provide the oversight companies need in planning and executing their security strategy. Because and although Board members might not always understand the technical fundamentals of cybersecurity, recent headlines mean they at least understand the financial implications of a cybersecurity breach.
So it’s all roses, right? Well not so much. A recent report from MIT Sloan and Proofpoint reveals that many Board members feel their companies are woefully under-prepared for a cyberattack. What’s more, there is a large disconnect between what the Board wants to prioritize and what Chief Information Security Officers (CISOs) view as important. Here then, are some of the key takeouts.
First the good news: The report found that 77% of Board members agree that cybersecurity is a top priority for their board. Now the not-so-good news. Although most Board members are aware of the risk of cyber attacks, that hasn’t translated into preparedness. Forty-seven percent of all Board members believe that their organization is unprepared for a cyber attack, and about the same amount of CISOs agree.
As discussed, CISOs & Board Members disagree on the most critical consequences of a cybersecurity incident. Internal data becoming public is of the most concern for boards while CISOs are more worried about significant downtime and disruption of operations. In reality, both are a problem for organizations.
The report specifically highlights the Board’s approach to the number one cause of cyber attacks. Two-thirds (67%) believe human error is their biggest cyber vulnerability and notes that ‘… people throughout the organization, including board members, know what to watch for and what to do should they encounter a questionable email, link or website. Board members have both a personal and professional role to play. They, too, can be targets of cyber criminals who want to get into companies.
We’ve seen this across many senior levels in organizations: where the c-suite themselves are at much higher risk of an attack than many ordinary employees because they rely much more on power dynamics.
So what’s the answer to this mismatch between the Board, the C-suite, and the CISO?
Firstly, as the report notes, Board members in most countries had markedly different perceptions of cyber risk than their CISOs. That can be addressed through dialogue and better communication. Crucially though, those conversations must approach the issue from a business angle, rather than purely a technological one.
Secondly, on the human error piece, CISOs must put in place not only technological solutions, but also the cultural framework that makes security an ‘always on’ issue for the company and staff. We addressed exactly this aspect in our recent Security Cultures Report, which offers advice on how to bake better security awareness into your staff’s day-to-day routine.
Thirdly, harness the power of the Board. If leaders and parts of the business see cybersecurity as a top priority for the Board, then they’ll do the same. One easy way to do this is to make cybersecurity an agenda item at every monthly or quarterly Board meeting, and establish good cyber metrics to help track your progress.