Connect with us

Hi, what are you looking for?


Management & Strategy

NYSE Survey Examines Cybersecurity in the Boardroom

The responsibility for the organization suffering a data breach lies squarely with the CEO, according to a new survey examining board-level attitudes about cybersecurity.

The responsibility for the organization suffering a data breach lies squarely with the CEO, according to a new survey examining board-level attitudes about cybersecurity.

Heads typically roll after a data breach, with the biggest pressure on the CISO and the IT security team. However, in a joint survey by New York Stock Exchange (NYSE) Governance Services and Veracode, board members said they are more likely to hold the CEO accountable. The CIO was the second most responsible, the survey found.

“Responsibility for attacks is being seen as a broader business issue, signaling a shift away from putting the onus squarely on the chief information security officer (CISO) and the IT security team,” the report said.

Past surveys have shown that executives aren’t nearly as confident about their organizations’ ability to withstand an attack, and the NYSE/Veracode survey was no different. Two-thirds of the survey participants said they are not fully confident their companies are properly secured against cyberattacks. For the CEO, that is a worrying finding, considering it is his or her job currently on the line.

Cybersecurity in the BoardroomNearly 200 directors of public companies from various industries, including financial services, healthcare, and technology took part in survey, which examined how well cybersecurity is understood, prioritized, and addressed at the board level. Of the participants, 78 percent serve on one to three executive boards.

The survey findings are particularly interesting because it puts concrete figures to current trends. It is increasingly clear cybersecurity is a board-level concern, something clearly highlighted by the survey finding that more than 80 percent of participants said cybersecurity is discussed at most or all boardroom meetings. This makes sense, considering many board members are in charge of managing cybersecurity as a risk area, and CISOs are increasingly being asked to present their strategies to the board.

“CISOs should leverage the momentum created by the board’s increased focus on cybersecurity to build consensus and support around what it takes to reduce risk for the business, across people, process and technology,” said Chris Wysopal, Veracode co-founder and CISO.

Security executives have struggled with how to effectively communicate security risk and priorities to the board. CISOs should focus on the organization’s risks instead of security threats and technology implications. The survey backs up this risk-based approach. Nearly two-thirds of respondents indicated a strong preference for either risk metrics or high-level strategy descriptions, rather than descriptions of security technologies. CISOs should use analogies and discuss breaches in similar industries when addressing the board, Veracode suggested.

“There will be bumps in the road for everyone involved, especially now that the board is becoming an active participant in what was once a deeply technical domain,” Wysopal said.

Advertisement. Scroll to continue reading.

Board members view cybersecurity through a financial lens. Brand damage, breach cleanup costs, and theft of corporate intellectual property were the top three worries, the survey found. Brand damage was the biggest concern, named by 41 percent of directors. Another 47 percent were equally split between theft of corporate intellectual property such as strategic plans and proprietary designs and the total cost of responding to a breach such as cleanup, lawsuits, forensics, and credit reporting costs. The theft of intellectual property could result in a loss of competitive advantage, which would eventually impact the company’s bottom line. CISOs should be willing to consider risk in these terms when presenting to the board, Veracode suggested.

One director said he was worried that cyberattackers would subvert the company’s devices to make them perform “in some way other than their intended fashion.” This worry would be “particularly concerning in industries such as medical devices and automotive safety equipment,” Veracode said.

Board members clearly understand the connection between cybersecurity and the bottom line, but still don’t rank it highly on the agenda. Board members ranked it second to last in priority when developing new products and services. Competitive differentiation, revenue potential and development costs were considered more important when assessing risk. The disconnect is tied with the perception that adding more security such as two-factor authentication or other forms of authentication is inconvenient for customers and employees.

“The more you increase security, the less user friendly” the product becomes, a board director said in the survey.

Supply chain—which includes software-as-a-service providers, open source software, contractors, commercial software vendors, and outsourcing partners—is a big source of worry for boards. More than 70 percent of respondents have significant concerns about the risk posed by third-party software in the supply chain. There was a misperception that commercial software applications are generally assessed for vulnerabilities before they hit the market.

One board member was noted the “inability to know whether customers and suppliers who use our systems have adequately secured their own access points.”

CISOs need to “expand their skillset and get comfortable describing cyber risk relative to other business priorities and board-level concerns,” Wysopal said.

Board members listed technical skills and experience, business acumen, and strong communication skills as the top three qualities for a strong CISO, according to the survey (PDF)

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem