Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Boards Not Regularly Briefed on Cyber-Security: Survey

Even as cyber-threats circulate, the boards of directors at many enterprises continue to remain out of the loop when it comes to security.

Even as cyber-threats circulate, the boards of directors at many enterprises continue to remain out of the loop when it comes to security.

A new study from the Ponemon Institute found that 78 percent of the more than 1,000 CIOs, CISOs and senior IT leaders surveyed had not briefed their board of directors on cyber-security in the last 12 months. In addition, 66 percent said they don’t believe senior leaders in their organization consider security a strategic priority.

The findings follow a recent survey from the National Association of Corporate Directors (NCD) that found that more than half (52 percent) of the 1,013 corporate directors surveyed were not satisfied with the amount of information they were receiving about cyber-security. In addition, 36 percent said they were unsatisfied with the quality of that information.

“For a long time IT issues were seen by Boards of Directors as jammed printers and computer crashes,” said Michael K. Daly, CTO of Raytheon’s cyber-security business. “Showing the threat to brand and reputation – and ultimately shareholder value – has taken time. The Global Megatrends Survey showed that only 22 percent of respondents have briefed the board on the organization’s cyber-security strategy in the past 12 months and only 21 percent of say the board actually requested a briefing. In fact, one of the driving factors behind Raytheon’s desire to do this study was to elevate the information security point of view into the C-suite.”

One of the best ways to communicate with the boardroom is by reporting simple metrics that matter to the business, said Daly.

“Telling a board how many times a firewall blocked an attack doesn’t mean anything – they are left to wonder if it is good or bad that we are seeing attacks,” he said. “At Raytheon we report one number, dwell-time – the amount of time an attacker is able to use a computer before being stopped. Our goal is to keep that number as close to zero as possible by preventing their ability to communicate, move or do harm. For our board members, the trending of that one number allows them to determine the company’s exposure to risk and whether the right investments are being made, whether it is in analytics, talent, employee training, or new tools.”

Less than half of the respondents believe their organizations take appropriate steps to comply with leading cyber-security standards, and just 47 percent said their organizations have sufficient resources to meet cyber-security requirements.

Still, the majority of respondents believe their cyber-security postures will improve due to the following reasons: cyber intelligence will become more timely and actionable, more funding will be made available to invest in people and technologies, technologies will become more effective in detecting and responding to cyber threats, more staffing will be available to deal with the increasing frequency of attacks and employee-related risks will decline.

Advertisement. Scroll to continue reading.

“High-profile cyber-security breaches are closing the gap between CISOs and CEOs by forcing meaningful security discussions into corner offices and boardrooms,” said Larry Ponemon, chairman and founder of Ponemon Institute, in a statement. “In the meantime, our study found there is still a large delta between resources and needs, as security leaders lack both funding and manpower to adequately protect assets and infrastructure.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture