What does the board know about cybersecurity?
In a recent Wall Street Journal article, contributors query – are boards of directors capable of cybersecurity oversight?
The IT landscape is a constantly evolving one and cybersecurity has reached the heights of a critical risk management issue that demands effective board oversight. Expecting dedicated IT security professionals to keep on top of it is one thing, but how does the board cope when it comes to understanding the nuances of cybersecurity?
In a recent article, WSJ Pro Research Director Rob Sloan and WSJ pro Research Analyst Leslie Acebo discussed a joint survey, of 472 corporate board directors undertaken by WSJ Pro and the National Association of Corporate Directors. Set against a backdrop of emerging data protection regulation, a constantly evolving cyber threat landscape and the future impact of quantum computing and AI, how well prepared are board members to provide effective cybersecurity oversight? According to the research, the answer is “it depends”.
Much of this discussion is prompted by the new US Securities and Exchange Commission regulations for cyber-risk management, part of which would require companies to disclose which directors have cybersecurity expertise. According to the research, more than three quarters (76%) of respondents said the board already contained at least one cyber expert, with 19% saying the board contained three or more. That’s great news, right? Well it depends on your point of view.
The disconnect is real
Picking through the numbers from this report in a little more detail, the WSJ contributors put a positive spin on statistics such as “in 62% of cases, the board’s overall awareness of cyber risk shows significant improvement”. Does this mean that in 38% of cases the presence of a qualified cybersecurity expert does not lead to an increase in threat awareness? The same data set shows that less than half of the respondents thought the board’s ability to manage cyber-risk was greatly improved. Finally, the presence of a cyber expert only leads to a change in management’s approach to cybersecurity 30% of the time!
There’s an old trope about lies, damn lies and statistics. The numbers are the numbers. However, the devil lies in the details and our interpretation of them.
The level of expertise or preparedness appears to vary widely by company size or industry. As you might expect, smaller businesses feel they are less well prepared, with less of an understanding of their evolving compliance obligations and less confidence in their ability to cope with a cybersecurity crisis.
A similar disparity is evident across industry verticals. Naturally, technology companies have a firmer grasp of their obligations and capabilities, but critical industries such as healthcare, energy and utilities trail by a significant margin.
If 76% of boards already have a cyber expert in place, why is there such a disconnect between cyber policy and reality? Why are the headlines filled with examples of catastrophic data breaches and why, when data is lost or stolen, is it not encrypted?