The responsibility for the organization suffering a data breach lies squarely with the CEO, according to a new survey examining board-level attitudes about cybersecurity.
Heads typically roll after a data breach, with the biggest pressure on the CISO and the IT security team. However, in a joint survey by New York Stock Exchange (NYSE) Governance Services and Veracode, board members said they are more likely to hold the CEO accountable. The CIO was the second most responsible, the survey found.
“Responsibility for attacks is being seen as a broader business issue, signaling a shift away from putting the onus squarely on the chief information security officer (CISO) and the IT security team,” the report said.
Past surveys have shown that executives aren’t nearly as confident about their organizations’ ability to withstand an attack, and the NYSE/Veracode survey was no different. Two-thirds of the survey participants said they are not fully confident their companies are properly secured against cyberattacks. For the CEO, that is a worrying finding, considering it is his or her job currently on the line.
Nearly 200 directors of public companies from various industries, including financial services, healthcare, and technology took part in survey, which examined how well cybersecurity is understood, prioritized, and addressed at the board level. Of the participants, 78 percent serve on one to three executive boards.
The survey findings are particularly interesting because it puts concrete figures to current trends. It is increasingly clear cybersecurity is a board-level concern, something clearly highlighted by the survey finding that more than 80 percent of participants said cybersecurity is discussed at most or all boardroom meetings. This makes sense, considering many board members are in charge of managing cybersecurity as a risk area, and CISOs are increasingly being asked to present their strategies to the board.
“CISOs should leverage the momentum created by the board’s increased focus on cybersecurity to build consensus and support around what it takes to reduce risk for the business, across people, process and technology,” said Chris Wysopal, Veracode co-founder and CISO.
Security executives have struggled with how to effectively communicate security risk and priorities to the board. CISOs should focus on the organization’s risks instead of security threats and technology implications. The survey backs up this risk-based approach. Nearly two-thirds of respondents indicated a strong preference for either risk metrics or high-level strategy descriptions, rather than descriptions of security technologies. CISOs should use analogies and discuss breaches in similar industries when addressing the board, Veracode suggested.
“There will be bumps in the road for everyone involved, especially now that the board is becoming an active participant in what was once a deeply technical domain,” Wysopal said.
Board members view cybersecurity through a financial lens. Brand damage, breach cleanup costs, and theft of corporate intellectual property were the top three worries, the survey found. Brand damage was the biggest concern, named by 41 percent of directors. Another 47 percent were equally split between theft of corporate intellectual property such as strategic plans and proprietary designs and the total cost of responding to a breach such as cleanup, lawsuits, forensics, and credit reporting costs. The theft of intellectual property could result in a loss of competitive advantage, which would eventually impact the company’s bottom line. CISOs should be willing to consider risk in these terms when presenting to the board, Veracode suggested.
One director said he was worried that cyberattackers would subvert the company’s devices to make them perform “in some way other than their intended fashion.” This worry would be “particularly concerning in industries such as medical devices and automotive safety equipment,” Veracode said.
Board members clearly understand the connection between cybersecurity and the bottom line, but still don’t rank it highly on the agenda. Board members ranked it second to last in priority when developing new products and services. Competitive differentiation, revenue potential and development costs were considered more important when assessing risk. The disconnect is tied with the perception that adding more security such as two-factor authentication or other forms of authentication is inconvenient for customers and employees.
“The more you increase security, the less user friendly” the product becomes, a board director said in the survey.
Supply chain—which includes software-as-a-service providers, open source software, contractors, commercial software vendors, and outsourcing partners—is a big source of worry for boards. More than 70 percent of respondents have significant concerns about the risk posed by third-party software in the supply chain. There was a misperception that commercial software applications are generally assessed for vulnerabilities before they hit the market.
One board member was noted the “inability to know whether customers and suppliers who use our systems have adequately secured their own access points.”
CISOs need to “expand their skillset and get comfortable describing cyber risk relative to other business priorities and board-level concerns,” Wysopal said.
Board members listed technical skills and experience, business acumen, and strong communication skills as the top three qualities for a strong CISO, according to the survey (PDF).