There’s always a lot of talk about the board and cybersecurity. This topic is important because without the board’s approval, organizations can’t take the necessary steps to improve cybersecurity. As time passes and mega breaches keep popping up, like the recent Yahoo mega breach, the board does seem to be getting more interested in cybersecurity. However, the question remains, what’s the board’s cybersecurity ‘why’?
One of the most common stoppers to board members being onboard with cybersecurity has been the communication gap between the CIO and/or CISO and the board. Another major challenge has also been not giving the CIO and/or CISO a seat at the table in the boardroom. An even bigger problem has been getting the board to see the business value of cybersecurity.
While it seems that organizations are trying to close the communication gap, the business value of cybersecurity remains fragile. A recent survey by Osterman Research reveals why the board’s value of cybersecurity is still quite not where it needs to be to take on cybersecurity in a way that really protects organizations and their data assets.
Let’s look at the survey’s findings.
Even though nearly half of the board members surveyed by Osterman Research believe that regulations are very sufficient in helping to protect corporate data assets, increased regulations are making it harder for them to satisfy their cybersecurity mandates.
- 46% of board members believe compliance regulations help establish stronger security, but nearly 60% struggle with meeting increased mandates – a nearly 20% increase over the past two years.
The study also showed that three out of five board members believe that one or more of their fellow board members should be a CISO or some other type of cybersecurity expert.
- Only one in six board members claim substantial expertise in understanding the nuances and implications of cybersecurity issues.
- This deficiency is driving a 60% belief that one or more board members should be a CISO or other type of cybersecurity expert.
The number one driver for making cybersecurity a top priority for board members is complying with regulatory requirements.
- In the past two years, there’s been an 11-fold increase in the number of organizations citing increased regulation from the government as a driver to make cybersecurity a top priority. Industry bodies have also increased this type of pressure for organizations to meet compliance.
- In the past two years, fears of lawsuits and regulatory penalties have grown 10-fold and are also a reason for growing interest by the board in cybersecurity as a priority.
- These two factors have driven more reaction and action than the experience of a breach at their own company.
It is very clear from this study that the board wants a CISO or security expert in the boardroom to help with understanding cybersecurity. However, the board’s cybersecurity ‘why’ remains focused on compliance and this is where the real problem lies.
You can’t have an effective cybersecurity posture if all you’re doing is meeting compliance. So, even though the communication gap on cybersecurity matters is closing, it’s only closing so that organizations can meet requirements. The knowledge or understanding that this type of cybersecurity approach isn’t enough, continues to be a barrier to a truly effective cybersecurity posture.
If the board is going to protect their business, the first thing that has to become clear is that cybersecurity isn’t only compliance. Yes, meeting compliance helps to strengthen security, but only a holistic approach to cybersecurity can minimize risks and effectively secure the entire organization along with its assets.
If you’re ready to transform your cybersecurity ‘why’ give us a call. Schedule your free consultation to protect your organization!
Photo Courtesy of Peshkov Daniil