Cybersecurity Slowly Making it to the Boardroom
The most important decision a company will make about cybersecurity is its priority. Without support from the very top, an organization’s security staff will never get the resources necessary to adequately protect the company. Unfortunately, the board of directors and C-suite have historically been at odds with their own company’s security leaders when it comes to the importance of cybersecurity.
Lack of Top Level Support a Huge Security Impediment
A report published by The Economist Intelligence Unit in 2016 titled “The cyber-chasm: How the disconnect between the C-suite and security endangers the enterprise” highlights the security chasm between top leaders and those tasked with securing the organization. The study asserts that corporate leadership and security executives do not share the same commitment to cybersecurity, finding that cybersecurity ranks as the number one priority for security leaders, but only number nine for the C-suite. Despite years of news reports about destructive data breaches at leading firms, security ranks near the bottom of the C-suite’s priority list. Only 5% of C-suite executives consider it the highest priority corporate initiative—second to last on a list of ten major corporate initiatives. Research by Deloitte also emphasized the lack of support for cybersecurity at the board level, finding that just one in twenty boards (5%) have any cybersecurity experience among their members. The Deloitte study also revealed that board of directors are often aware of cybersecurity problems, but show no evidence that they are tackling them.
The Gap is Closing – Slowly
The good news is that recently, there’s evidence that the gap between security leaders and top-level management regarding security is slowly closing. A number of factors, including the WannaCry ransomware attacks and new legislation are changing the way boardrooms and executive staff members view cybersecurity. A new report by data loss prevention firm Clearswift found that following WannaCry, 29% of businesses are adding cybersecurity to the boardroom agenda. Another 29% of companies globally will be implementing stronger cybersecurity measures.
In New York state, new legislation requires additional cybersecurity controls for financial service industries, including the introduction of multi-factor or risk-based authentication, encryption of non-public information both in transit and at rest, and processes to protect data handled by third parties. The legislation also requires that organizations establish a Chief Information Security Officer (CISO) function, hire well-qualified and highly trained cybersecurity personnel, and demands that their board of directors gets actively involved in the company’s cybersecurity strategy. Although the legislation targets New York companies, it impacts organizations everywhere.
New European laws are also emerging that directly impact boardroom views regarding cybersecurity. The upcoming General Data Protection Regulation (GDPR) legislation, which will replace the outdated 1998 Data Protection Act, adds financial incentives for board members to invest in security. Currently, most companies do not view the costs associated with a data breach significant enough to stimulate significant investments in security. But the GDPR legislation will massively hike financial penalties for organizations that suffer a data breach, penalizing them £20m (around $26 million dollars U.S.) or 4% of their annual turnover – whichever is higher.
Management Team Accountable for Cybersecurity
Brian Laing, VP of Business Development & Products at Lastline says: “When a company experiences a significant security incident, it’s not just the company that suffers tangible losses. The management team will often pay a steep price as well. We are seeing more and more cases where senior managers are held directly accountable for cybersecurity.”
Although progress is slow, we are finally starting to see evidence that support for increased cybersecurity is finally making it to the boardroom. This will make it dramatically easier for the organization’s security team to obtain the required resources to strengthen their cybersecurity. Although this trend is just beginning, the potential benefits are significant indeed.