With an increase in the number of breaches, one would expect more involvement in the cybersecurity process by the board and senior leadership, but from Ponemon Institute’s Fourth Annual Study: Is Your Company Ready for a Big Data Breach?, the reality is quite different.
Ponemon’s study questioned executives and staff employees who work in the privacy, compliance and IT security sector in the US and found that even though the likelihood of a breach has risen, many senior leaders aren’t actively engaged in their company’s data breach preparedness plan.
The study found that only 42% of executives find their data breach plan very effective or effective and 57% of executives said their organization’s board of directors, chairman and CEO were not informed and involved in data breach response plans. Additionally, only 34% of executives say the board understands the specific security threats facing their organization.
This lack of understanding and knowledge on data breach preparedness plans by senior leadership would explain why organizations aren’t doing more when it comes to security. It’s a problem that has been discussed throughout the years and involves several challenges. One of the biggest ones being the overconfidence of decision makers in their organization’s ability to detect and respond to a data breach.
It’s only normal that leadership will want to believe every step they’re taking to secure their enterprise is the best one; but there’s also that group of decision makers who might want to think this is true to avoid additional responsibility and/or spending. You can’t really believe you’re prepared to detect and respond to a breach effectively, if you aren’t testing data breach response plans regularly and if you’re relying solely on security tools alongside a small IT team, of which the number of experts in security is uncertain.
This type of thinking could’ve worked before, but with the increasing number of IoT devices and their vulnerabilities, it’s a dangerous game. Even though data breach is second in importance to poor customer service for organizations surveyed by Ponemon Institute in the study, only 27% of them are confident in their ability to minimize the financial and reputational consequences of a material data breach. How is that going to play out for the business if breach happens?
Another problem that is most likely influencing the lack of senior leadership involvement in data breach preparedness is that their security executives don’t have a seat in the boardroom, but also that higher up is extremely focused on compliance requirements when they do give CIOs and CISOs the chance to brief them on what’s going on. Fundamentally, senior leadership hasn’t come to grips with the level of danger a data breach can have on their company.
Breaches might not close a business down, but it will create financial and reputational damage; not to mention the damage it can bring to customers and employees once their personal data has been compromised. Maybe it’s still too soon to expect senior leadership to make cybersecurity an integral part of business operations or maybe it’s because they’re so tired about hearing of mega breaches that they’ve just decided to tune it out. Whatever the case may be, studies like these can help businesses to think about their own cybersecurity and senior involvement.
Are you having trouble getting the board and CEO involved in data breach preparedness or cybersecurity overall? Or maybe you’re a senior leader who’s looking to understand the in-depth nature of security for your organization? Give us a call to see how prepared your business is for breach.
We’re here to help you get on track with cybersecurity so that you can keep running your business and avoid a mega breach catastrophe. Schedule your free consultation here.
Photo courtesy of Igor Petrov