Cyber attacks have been unrelenting over the past 12 months. As organisations of all types grapple with high-profile data breaches, ransomware and supply chain attacks, cybersecurity discussions are growing more critical at the board level. At the same time, board members feel their organisations are less prepared to deal with cybersecurity issues than they were the year before.
Those are just a few of the findings of Cybersecurity: The 2023 Board Perspective, our second annual survey of board members across a wide swath of industries around the world.
First, some of the positive findings from our second annual report on board perspectives. Of the 659 board members we surveyed across 12 countries:
- 73% believe cybersecurity is a high priority for their board
- 72% feel their boards understand the threats they face
- 70% agree they have adequately invested in resources
Increased awareness and investment do not translate into a better security posture, though. Seventy-three percent of board members believe their company is at risk for a major cyber attack in the next 12 months—up from 65% in 2022. And 53% report that their companies are unprepared to cope with a targeted attack. That’s up from 47% last year.
This change may reflect the volatile threat landscape of the past year. Concerns about emerging tech such as generative artificial intelligence (AI) are a factor, too. More than half (59%) of survey respondents believe generative AI tools like ChatGPT are a security risk for their business.
Better communication, more agreement between boards and CISOs
Another takeaway from our research is that the relationship between boards and CISOs is improving. For one, they are having conversations with each other more often. Fifty-three percent of directors say they interact regularly with their security leaders. That’s up from 47% in 2022. But there is still room for improvement. Less than two-thirds (64%) of board directors agree that they understand cybersecurity issues well enough to have an informed discussion with their CISO.
We also discovered that boards and CISOs are in better agreement when they interact. Nearly two-thirds (65%) of board members surveyed reported seeing eye-to-eye with the CISO. The finding aligns with our Voice of the CISO report published in May. In that report, 62% of CISOs we surveyed agreed that their board sees eye-to-eye with them on cybersecurity issues vs. 51% in 2022.
Board members and CISOs may finally be moving away from their long history of strained relationships, which is obviously good news. Greater harmony between the two will be instrumental in their companies’ efforts to improve preparedness and make strategic investments in cybersecurity in the years ahead.
Board agenda item: continuing to expand cybersecurity knowledge
While the presence of a C-level security leader in the boardroom is reassuring, directors can’t be complacent. Now that they’re closer to speaking the same language as the CISO, board members must make an honest assessment of their company’s cybersecurity capabilities, and they must act to help the organisation close gaps in its defences.
That board-level awareness is no longer a hurdle in driving the cybersecurity agenda forward is a positive. But translating awareness into strategic action remains a challenge.
Even before the recent SEC rules were announced, it was clear that boards needed to deepen their knowledge of cybersecurity risks. They must also ensure that their risk mitigation strategies can adequately defend their people and data—not only in today’s threat landscape but well into the future.
Read the Cybersecurity: The 2023 Board Perspective report to view the full findings from our survey.