We take a look at the relationship between CISOs and the boardroom and how both parties can strive to improve it, better aligning their business priorities. The report reveals that while 69% of board members report seeing eye-to-eye with their CISO, only 51% of CISOs feel the same.
Proofpoint, a leading cybersecurity and compliance company, and Cybersecurity at MIT Sloan (CAMS), an interdisciplinary research consortium, have released their Cybersecurity: The 2022 Board Perspective report, which explores board of directors’ perceptions about their key challenges and risks. Cybersecurity is dominant on their agendas.
Over two-thirds (77%) of participants agree cybersecurity is a top priority for their board and 76% discuss the topic at least monthly. Consequently, 75% believe their boards clearly understand the systemic risks their organisations face and 76% assert they’ve made adequate investments in cybersecurity.
But this optimism may be misplaced. Our report found that nearly two-thirds (65%) of board members believe their organisation is at risk of material cyberattack in the next 12 months. Almost half (47%) feel their organisation is unprepared to cope with a targeted attack. And only two-thirds of board members view human error as their biggest cyber vulnerability, despite the World Economic Forum finding that this risk leads to 95% of all cybersecurity incidents.
The Cybersecurity: The 2022 Board Perspective report examines global, third-party survey responses from 600 board members at organisations with 5,000 or more employees from different industries. In August 2022, 50 board directors were interviewed in each market across 12 countries: the US, Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil and Mexico.
The report explores three key areas: the cyberthreats and risks boards face, their level of preparedness to combat those threats and their alignment with CISOs based on the CISO sentiments Proofpoint uncovered in its 2022 Voice of the CISO report. We found a disconnect between the two sides in cyber-risks, consequences and threats.
“It is encouraging to see that cybersecurity is finally a focus of conversations across boardrooms,” said Lucia Milică, Vice President and Global Resident CISO at Proofpoint. “However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organisations for material cyberattacks. One of the ways boards can boost preparedness is by getting on the same page with their CISOs. The board-CISO relationship is instrumental in protecting people and data and each side must strive towards more effective communication and collaborative effort to ensure organisational success.”
Proofpoint and CAMS’ report highlights global trends, along with industry and regional differences among organisational leaders. Key global findings include:
• There is a disconnect between the boardroom and CISOs when evaluating the risk posed by today’s sophisticated cybercriminals: 65% of board members believe that their organisation is at risk of material cyberattack in the next 12 months, compared to 48% of CISOs.
• Board members and CISOs have similar concerns about the threats they face: Board members ranked email fraud/Business Email Compromise (BEC) as their top concern (41%), followed by cloud account compromise (37%) and ransomware (32%). While email fraud/BEC and cloud account compromise are also among top concerns for CISOs, they view insiders as their top threat, whereas board members rate insiders as a lower concern.
• Awareness and funding do not translate into preparedness: Although 75% of those surveyed feel their board understands their organisation’s systemic risk, 76% think they have invested adequately in cybersecurity, 75% believe their data is adequately protected and 76% discuss cybersecurity at least monthly, these efforts appear insufficient – 47% still view their organisation as unprepared to cope with a cyberattack in the next 12 months.
• Board members disagree with CISOs about the most important consequences of a cyber-incident: Internal data becoming public is at the top of the list of concerns for boards (37%), followed closely by reputational damage (34%) and revenue loss (33%). These concerns are in sharp contrast with those of CISOs, who are more worried about significant downtime, disruption of operations and impact on business valuations.
• High employee awareness doesn’t protect against human error: Although 76% of those surveyed believe their employees understand their role in protecting the organisation against threats, 67% of board members believe human error is their biggest cyber-vulnerability.
• The relationship between boards and CISOs has room for improvement: There is a sharp variance in perspective between board members and CISOs: while 69% of board members report seeing eye-to-eye with their CISO, only 51% of CISOs feel the same.
• Boards are warming up to regulatory oversight: 80% of respondents agree that organisations should be required to report a material cyberattack to regulators within a reasonable timeframe and only 6% disagree.
“Board members play a key role in their organisations’ cybersecurity culture and cybersecurity posture,” said Dr Keri Pearlson, Executive Director at Cybersecurity at MIT Sloan (CAMS). “Board members have fiduciary and oversight responsibility for their organisations; therefore, they must understand the cybersecurity threats their organisations face and the strategy their organisations take to be cyber-resilient.
“Board members need to look for ways to make CISOs their strategic partners. With cybersecurity risk front and centre on boardroom agendas, a better alignment of CISOs’ and boards’ cybersecurity priorities will only serve to improve their organisations’ protection and resilience.”