Cybersecurity at MIT Sloan - 2022 Board Perspective Report

Collaboration_Press_Release

Proofpoint, Inc., a leading cybersecurity and compliance company, and Cybersecurity at MIT Sloan (CAMS), an interdisciplinary research consortium, today released their Cybersecurity: The 2022 Board Perspective report, which explores board of directors’ perceptions about their key challenges and risks. Cybersecurity is dominant on their agendas. Seventy-seven percent of participants agree cybersecurity is a top priority for their board and 76% discuss the topic at least monthly. Consequently, 75% believe their boards clearly understand the systemic risks their organisations face and 76% assert they’ve made adequate investments in cybersecurity.

But this optimism may be misplaced. Our report found that nearly two-thirds (65%) of board members believe their organisation is at risk of material cyber attack in the next 12 months. Almost half (47%) feel their organisation is unprepared to cope with a targeted attack. And only two-thirds of board members view human error as their biggest cyber vulnerability, despite the World Economic Forum finding that this risk leads to 95% of all cybersecurity incidents.

The Cybersecurity: The 2022 Board Perspective report examines global, third-party survey responses from 600 board members at organisations with 5,000 or more employees from different industries. In August 2022, 50 board directors were interviewed in each market across 12 countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico.

The report explores three key areas: the cyber threats and risks boards face, their level of preparedness to combat those threats, and their alignment with CISOs based on the CISO sentiments Proofpoint uncovered in its 2022 Voice of the CISO report. We found a disconnect between the two sides in cyber risks, consequences, and threats.

“It is encouraging to see that cybersecurity is finally a focus of conversations across boardrooms. However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organisations for material cyber attacks,” said Lucia Milică, vice president and global resident CISO at Proofpoint. “One of the ways boards can boost preparedness is by getting on the same page with their CISOs. The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organisational success.”

Proofpoint and CAMS’ Cybersecurity: The 2022 Board Perspective report highlights global trends, along with industry and regional differences among organisational leaders. Key global findings include:

  • There is a disconnect between the boardroom and CISOs when evaluating the risk posed by today’s sophisticated cybercriminals: 65% of board members believe that their organisation is at risk of material cyber attack in the next 12 months, compared to 48% of CISOs.
  • Board members and CISOs have similar concerns about the threats they face: board members ranked email fraud/business email compromise (BEC) as their top concern (41%), followed by cloud account compromise (37%), and ransomware (32%). While email fraud/BEC and cloud account compromise are also among top concerns for CISOs, they view insiders as their top threat, whereas board members rate insiders as a lower concern.
  • Awareness and funding do not translate into preparedness: although 75% of those surveyed feel their board understands their organisation’s systemic risk, 76% think they have invested adequately in cybersecurity, 75% believe their data is adequately protected, and 76% discuss cybersecurity at least monthly, these efforts appear insufficient—47% still view their organisation as unprepared to cope with a cyber attack in the next 12 months.
  • Board members disagree with CISOs about the most important consequences of a cyber incident: internal data becoming public is at the top of the list of concerns for boards (37%), followed closely by reputational damage (34%) and revenue loss (33%). These concerns are in sharp contrast with those of CISOs, who are more worried about significant downtime, disruption of operations, and impact on business valuations.
  • High employee awareness doesn’t protect against human error: although 76% of those surveyed believe their employees understand their role in protecting the organisation against threats, 67% of board members believe human error is their biggest cyber vulnerability.
  • The relationship between boards and CISOs has room for improvement: there is a sharp variance in perspective between board members and CISOs: while 69% of board members report seeing eye-to-eye with their CISO, only 51% of CISOs feel the same.
  • Boards are warming up to regulatory oversight: 80% of respondents to the survey agree that organisations should be required to report a material cyber attack to regulators within a reasonable timeframe and only 6% disagree.

“Board members play a key role in their organisations’ cybersecurity culture and cybersecurity posture. Board members have fiduciary and oversight responsibility for their organisations; therefore, they must understand the cybersecurity threats their organisations face and the strategy their organisations take to be cyber resilient,” said Dr. Keri Pearlson, executive director at Cybersecurity at MIT Sloan (CAMS). “Board members need to look for ways to make CISOs their strategic partners. With cybersecurity risk front and centre on boardroom agendas, a better alignment of CISOs’ and boards’ cybersecurity priorities will only serve to improve their organisations’ protection and resilience.”

To download the Cybersecurity: The 2022 Board Perspective report, please visit:

https://www.proofpoint.com/us/resources/white-papers/board-perspective-report

Visit Proofpoint’s CISO Hub at www.proofpoint.com/us/ciso-hub, a home for CISO-level content, including insights, research, trends, technical resources, tools, and upcoming events. Each month features a timely topic uniquely relevant to the CISO role. 

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web.

More information is available at www.proofpoint.com.

About Cybersecurity at MIT Sloan

Cybersecurity at MIT Sloan (CAMS) is an interdisciplinary research consortium headquartered in the Sloan School of Management at MIT. In collaboration with researchers from departments around MIT and beyond, CAMS addresses the important need to improve the cybersecurity of all organisations through an interdisciplinary research approach focused on the strategic, managerial, and operational issues related to cybersecurity. CAMS brings together thought leaders from industry and government with MIT faculty, researchers and students. The research consortium delivers its findings and actionable insights through published research papers, high-impact managerial outlets, and a variety of meetings, workshops, conferences, and educational activities. Find CAMS research in Harvard Business Review, Sloan Management Review, The Wall Street Journal, The New York Times and many other publications. Members of CAMS, whose support funds the research and who have first access to the findings, include companies from many different industries including financial services, energy, chemicals, healthcare, industrial automation, manufacturing, information services, natural gas, utilities, and more. Please visit us at cams.mit.edu.