CISOs increasingly brief boards on their organization’s cybersecurity strategies and risk profile. But a new survey of directors suggests sometimes it’s a game of broken telephone.
On average, 65 per cent of the board members of large organizations in 10 countries surveyed thought their organization is at risk of a material cyber attack in the next 12 months. By comparison, only 48 per cent of CISOs who were asked a similar question earlier this year thought their firm was at risk of a material cyber attack.
On average, 69 per cent of board members thought they see eye to eye with their CISOs. However, only 51 per cent of CISOs thought they see eye to eye with their boards.
The numbers were contained in a survey done for Proofpoint and released Tuesday (registration required to view).
Six hundred board members in organizations with over 5,000 employees in 12 countries were surveyed. The results were compared with survey responses given by CISOs in 10 countries earlier this year.
Boards appear to be more confident about their organization’s cybersecurity posture than CISOs are, Lucia Milica, Proofpoint’s global resident CISO, said in an interview.
That’s worrisome, she said, because boards have oversight responsibility. “Cybersecurity is a business risk,” she pointed out, “and something they need to pay attention to.”
A problem, she said, “could be the ability of the CISO to translate a complex topic like cyber risk into business risk.”
Among other troublesome numbers in the report is that 24 per cent of board members surveyed said they don’t talk regularly about cybersecurity. That number is “not fantastic,” Mulca said. By comparison, 21 per cent of board members said they talk about cybersecurity issues once every two to three weeks. Another 16 per cent said it is discussed weekly.
The disconnect between boards and CISOs varied by country, where 50 board members in each nation (U.S., Canada, U.K., France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil and Mexico) were interviewed. Some of the questions were the same ones posed in Proofpoint’s Voice of the CISO report released in May.
For example, in Canada 72 per cent of board members agreed their organization is at risk of a material cyber attack in the next 12 months. By comparison, only 62 per cent of Canadian CISOs thought that likely.
In the U.S., the divergence was sharper: 76 per cent of board members thought their organization is at risk of a material cyber attack in the next 12 months, compared to 34 per cent of CISOs.
Canadian CISOs were also wildly more optimistic about their communication with board members; 85 per cent of CISOs surveyed agreed they see eye-to-eye with their boards. By comparison, only 60 per cent of Canadian directors agreed with that statement.
Only half of U.S. CISOs thought they see eye to eye with their boards, while 69 per cent of board members agreed.
There were also differences in which threats each group sees as the biggest cybersecurity risk to their organizations.
Those differences of opinion may reflect the different perspectives each role brings to the organization, the report says. CISOs primarily see their role as keeping attacks from disrupting the business and enabling the business to continue to function despite cyber attacks. Board members represent shareholders and are most concerned with protecting the value of their investments, which can decline when the organization suffers reputational damage or lost revenue. That might explain why, globally, 41 per cent of board members say email fraud (also called business email compromise) is their biggest worry, compared to 30 per cent of CISOs.
The report was written by the Cybersecurity at MIT Sloan group in the Sloan School of Management at MIT. It concluded that the survey results show there is “a large opportunity for discussion” between boards and CISOs.
“The more the board makes cybersecurity a priority,” the authors add, “the more other leaders will do the same.
The report recommends boards
–put cybersecurity on the agenda of every board meeting;
–have a customized dashboard of relevant cybersecurity metrics made for the board;
–participate in corporate cybersecurity tabletop exercises;
–regularly meet with cybersecurity leaders to build stronger relationships.