Nearly half of IT and business decision makers globally don’t think their boards are capable of effectively managing cybersecurity threats, despite the vast majority (77%) believing it is now the C-level’s responsibility, according to new research from Control Risks.
The global consultancy polled nearly 500 IT and business leaders from public and private sector organizations with over 2000 employees in 20 countries.
The results reveal that many are concerned their board simply doesn’t take online threats seriously enough, despite 43% claiming a cyber-attack has resulted in the misuse of sensitive or confidential information, and 41% stating it’s led to a loss of customer data.
In the UK, things were slightly less pronounced, with 38% claiming the board doesn’t take security seriously enough.
Control Risks associated director for cybersecurity in Europe and Africa, Jayan Perera, claimed public-private partnerships and industry-wide threat intelligence sharing initiatives have helped to raise the awareness of cyber security risks to board level executives in the UK.
“In addition, the financial industry – a prominent part of the UK’s economy – has in recent years been very active in building a proactive and fully engaged governance structure around cyber-risks, which helps to understand why the UK is showing a high level of confidence in their board level executives”, he told Infosecurity.
However, there’s still plenty of work to do and IT teams need to assume much of the responsibility for communicating what cyber-risks the board should be worried about, he added.
“To answer these questions competently, the security and risk functions of any organization should articulate the specific cybersecurity threats and potential impacts that they have identified to the board in plain English. This is fundamental to getting them comfortable with cybersecurity as a topic and also empowers them to ask questions and make decisions more effectively,” Perera argued.
“When this is combined with clear risk reporting on ongoing vulnerabilities and areas of strength and weaknesses in security controls, it provides a solid foundation for boards to take a more active role in engaging in cybersecurity issues.”
The most mature organizations will not only communicate these threats to their boards frequently but also “exercise” them on the highest impact attack scenarios, he added.
“Through this kind of threat-led exercising, boards can grasp that responding to a cyber-attack and preventing its most impactful elements relies upon a cohesive, cross-organizational response that supports technical teams to remediate the direct technical problem as well as providing wider business teams with direction to reduce business impact,” Perera concluded.