Costly and reputation diminishing cyber attacks have made cybersecurity governance a critical business issue. Concerns about cybersecurity are no longer limited to the IT function. Rather, the possibility of regulatory fines, litigation and costs associated with resolving a security incident has elevated the issue to the boardroom.
The purpose of Defining the Gap: The Cybersecurity Governance Study conducted by Ponemon Institute and sponsored by Fidelis Cybersecurity is to determine if boards of directors are a help or hindrance to creating a strong cybersecurity posture. As the findings reveal, boards of directors are not as informed and knowledgeable about cybersecurity risks as they should be in order to fulfill their governance responsibilities. They also lack visibility into the cyber threat landscape affecting their companies and suffer from distrust between IT security professionals and the board. We surveyed 245 board members in a variety of industry sectors in the United States and 409 IT security professionals, mainly CISOs, CIOs and CTOs.
The study reveals that boards have been slow to prioritize the importance of cybersecurity governance practices. It was not until the 2013 Target breach that cybersecurity risks had an impact on the board’s agenda. One possible explanation for the lack of attention to security threats could be their admitted lack of knowledge and expertise about cybersecurity. Sixty-seven percent of board members report they have only some knowledge (41 percent) or minimal or no knowledge about cybersecurity (26 percent).
Despite admitting their lack of knowledge about cybersecurity, 70 percent of board members have confidence that they understand the security risks their organizations face, as shown in Figure 1. However, only 43 percent of IT security professionals think that their board is informed about threats facing the organization. To bridge these very different perceptions about the board’s visibility into the threat landscape, more communication between the board and IT function is sorely needed.
Further, only 18 percent of IT security professionals believe their boards’ cybersecurity governance practices are effective. This gap in trust between corporate leadership and those in the trenches needs to be closed for organizations to face increasingly stealthy and sophisticated cyber risks.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program