CISO, advice not always on the same wavelength

Most boards understand the risk, but many won’t invest more in cybersecurity and have different concerns about the impact of a breach.

Image: Gorodenkoff/Adobe Stock

The relationship between boards and CISOs could be better these days. According to a report by cybersecurity firm ProofPoint in conjunction with MIT Sloan’s Cybersecurity, while 69% of board members say they agree with their CISO, only 51% of CISOs say the same.

The good news is that most (77%) of board members surveyed in Cybersecurity: The 2022 Board Perspective report agree that cybersecurity is a top priority. Most (65%) believe they are at risk of a cyberattack in the next 12 months, compared to just 48% of CISOs.

Nearly half of board members feel unprepared for a cyberattack

Nearly half (47%) of board members said their organizations were unprepared for a targeted attack. And only two-thirds of board members consider human error their greatest cybersecurity vulnerability, despite the World Economic Forum finding that this risk is at the root of 95% of all incidents. of cybersecurity.

SEE: Mobile Device Security Policy (TechRepublic Premium)

Board members also often disagree with CISOs about the most significant impacts of a cyber incident. Boards’ top concern (37%) was data becoming public, while 34% said reputational damage and 33% said loss of revenue was the most serious consequence. CISOs, on the other hand, are more concerned about downtime, interrupted operations, and the impact on company valuations.

“The inability of board members and CISOs to see each other presents a significant risk to an organization,” said Lucia Milică, vice president and global resident CISO at Proofpoint. “The CISO needs buy-in from the board, and if they can’t communicate with each other, securing the necessary cybersecurity investments becomes a nearly impossible task.”

The report looked at three factors: the cyber threats and risks that boards face, their level of preparedness to combat those threats, and their alignment with CISOs based on CISO sentiments.

CISOs and Board Members Agree on Origin of Top Cyber ​​Threat

The report revealed that board members and CISOs are on the same page when it comes to the top threat they face. Boards and CISOs both ranked business email compromise as their top concern (41%). Boards are also concerned about compromised cloud accounts (37%) and ransomware (32%), while CISOs ranked insiders as their top threat.

Even so, this awareness has not translated into funding. Although 75% of boards say they understand their organization’s systemic risk, 76% believe they have invested enough in cybersecurity, and 75% say their data is adequately protected.

“Boards are relentlessly focused on results and CISOs are often mired in technical language,” Milică said. “This lack of communication and shared understanding of cyber risk can put organizations at a huge disadvantage when trying to combat today’s threats.”

Surprisingly to many, 80% of boards agreed that their organizations should be required to report a significant cyberattack to regulators within a reasonable time frame. Only 6% said they disagreed.

“While complying with new cybersecurity regulations may lead to increased costs, boards are finding that the price of a late response without help from regulators is much higher,” Milică said.

About the report

The Cybersecurity: The 2022 Board Perspective report examined survey responses from 600 board members of organizations with 5,000 or more employees from different industries in 12 countries, including the United States, Canada, UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil and Mexico.