Many recent high-profile cyber attacks illustrate how vulnerable organizations are to the growing intensity and sophistication of threats. Boardrooms are taking notice. Not long ago, board members viewed security as a CISO’s or CIO’s problem, but the conversation is finally taking place at the board level.
A new report, Cybersecurity: The 2022 Board Perspective, from Proofpoint and Cybersecurity at MIT Sloan (CAMS), reveals that cybersecurity is high on boardroom agendas. We surveyed 600 board members globally and learned that 77% agree security is a top board priority and 76% discuss the topic at least once a month. This increased interest has boosted boards’ confidence in the success of their efforts—three-quarters of them believe their boards clearly understand systemic risk and 76% feel that they have made adequate security investments.
However, given the rapidly rising number of security and data breaches—and based on other data from our report—conversations are not driving the best actions to bolster preparedness and resilience. We learned that nearly two-thirds of surveyed board members believe their organization is at risk of a material attack in the next 12 months. Nearly half view their organization as unprepared to cope with a targeted attack.
When we compared board members’ sentiments with the insights from our recent 2022 Voice of the CISO report, we understood some reasons that awareness doesn’t translate into action. There is a disconnect between the two sides—not only on issues involving risks and threats, but also in their relationship.
For example, 65% of board members believe their organization is at risk of a material attack and only 48% of CISOs feel the same. What do CISOs know that board members don’t? Are CISOs so mired in technical jargon that their narratives are not resonating with their boards? Is this disconnect stemming from strained relationships? Our report found that 69% of board members say they don’t see eye-to-eye with their CISOs, but only 51% of CISOs share that view. If they don’t even agree on how they feel about each other, how can they align on critical views about security? Getting the board’s support for a defensive strategy is difficult when their priorities are misaligned.
When threat actors take advantage of our growing reliance on the digital economy, it is more important than ever for boards and CISOs to be on the same page. Without strong board-CISO relationships, protecting people and defending data will be a growing struggle because achieving organizational success requires the two sides to work in harmony.
Considering the divergence we discovered, I am not surprised that only two-thirds of board members consider human error their biggest cyber vulnerability, even though the World Economic Forum found that this risk leads to 95% of all cyber incidents. People are on the front lines of our defenses, leaving our organizations vulnerable to both internal and external threats unless those individuals understand those vulnerabilities and how to mitigate their risks. That means everyone inside the organization, including board members, must understand potential threats and where to be on guard against them.
Board members are especially instrumental in boosting security culture and organizational resilience because they serve as role models—not only for adhering to behaviors that minimize risks but also for driving the priorities at all levels throughout the organization. I am heartened to see they are finally taking their role in security seriously. But to ensure that their enthusiasm translates into action, they need their CISOs as strategic partners by their side.
Read the complete findings from Cybersecurity: The 2022 Board Perspective report.