Why I Don't Blame Boards for Underinvesting in Cybersecurity

Seriously, what does it take to get the board interested in cybersecurity? It’s a question that’s occupied many a security professional’s thoughts for a long time now. What will it take to get the board to see cyber risk for what it is – and invest in appropriate cyber defenses?

The stats support the rhetoric, too. Tellingly, while 72% of FTSE 350 companies claim to see cyber risk as a top risk, just 46% have dedicated security budgets. By that logic, it seems as though today’s boards are underinvesting in cybersecurity, and I’m not sure I blame them.

For me, before we start pointing fingers, we need to consider how boards manage risk.

How boards manage risk
Unsurprisingly, recent research confirms boards have very little time to consider cyber risk. In fact, even in organizations that employ chief risk officers, formal risk discussions with the board typically last just 30 minutes, and they take place either annually, semi-annually or, at most, quarterly. In smaller organizations, it seems reasonable to assume even less time is devoted to considering risk.

The 30 minute slots, by the way, aren’t solely reserved for discussions around cyber risk. In the time slots, boards could potentially discuss all manner of risks they face – technological, financial, cultural; the list continues.

In impossible circumstances, boards need to decide which risks deserve the lion’s share of their attention. They do so based on, among other things, perceived risk severity and the extent to which they feel they can make a decision.

The implications are obvious. To get boards engaged in and investing more into cybersecurity, we’re going to need to get much better at demonstrating the true cyber risk our organizations face. That means we’re going to need to get better at measuring, monitoring and presenting cyber risk.

Measuring human cyber risk
Admittedly, in some areas, we’re already pretty good at measuring and summarizing cyber risk. Technological defenses, for example, typically record the number and severity of attacks they detect. An elevation in the number of attacks or attack severity is a clear indicator of enhanced cyber risk. 

Building security policies based on metrics from our technological defenses alone, however, can lead to security policies that people ignore.

Cybersecurity is a socio-technological discipline. It involves people and, at present, while technological risk metrics are sound, “measurement” of human cyber risk usually boils down to whether or not we’re running security awareness training.

It’s understandable: relatively security-conscious organizations have been proven to be overwhelmingly focused on standards, and most standards (such as NIST) recommend training but nothing more. Some standards even reference the simple training tick-in-the-box as the metric that matters.

To time-poor board members, the tick-box is surely a wayward signal. Board discussions do not meander, and tick-boxes that effectively say “we’re doing what we need to on the cyber risk front” grant boards permission to move on.

To get boards lingering on cybersecurity, security professionals need to present boards with something much more arresting: Metrics and indicators that demonstrate our true and total (and often alarming) level of cyber risk.

Awareness, behavior and culture metrics
Presenting boards with metrics that reveal people’s security awareness, their security behaviors and the organization’s security culture (alongside usual technological metrics) give boards something truly eye-opening. All of a sudden, perceived cyber risk equals actual cyber risk. Deference to cognitive biases and tick-box approaches becomes unnecessary.

Armed with easy to understand, attractive, social and timely metrics and recommendations, the board have everything they need to make informed decisions. Going further, they have everything they need to measure and advance their cyber risk maturity – either instead of or as well as the varied and relative risk maturity scales organizations fall back on today.

With metrics, cyber risk can finally be explored, debated and discussed in full.

Security professionals need to do more
As things stand, organizations frequently carry, without realizing, undesirable levels of cyber risk. The NCSC agrees, hence the recent introduction of its board toolkit. However, as security professionals, we really need to do more to ensure boards at the very least understand the true cyber risk our organizations face. 

If we succeed (something the CybSafe platform can help with, I hasten to add), then perhaps we’ll all be able to stop blaming boards for underinvesting in cybersecurity.

What’s Hot on Infosecurity Magazine?