In the United States, the 2015 US State of Cybercrime Survey appears to have reversed the findings of a number of previous surveys there over the last 12 months showing that despite talking the talk, many US boardrooms are in denial about the importance of engaging or engaging meaningfully in any information security decision making process.
Out of a pool of 500 US business execs, law enforcement services, and government agencies surveyed, there were three tiers of outcomes with regard to Board alignment: “horrendous, adequate and excellent”.
Out of the bad and moderately sufficient returns:
• 28% said their security leaders make no presentations at all to the board
• 26% of Chief Information Security Officers (CISOs) or their organisation’s equivalent, said they provided an annual presentation to the Board. Whilst
• 30% confirmed their security experts offered quarterly cyber security reports.
As one would expect, larger organisations appear take a more proactive view on countering cyber threats, but this is not uniform. When looked at responses on size alone:
• 33% of smaller enterprises acknowledged there was no advice to the Board at all. However
• 18% (or nearly one fifth) of larger enterprise CISOs reported that they too offered no advice to the Board.
This is a gross overlook from the business community that needs redressing. The IT security decision maker in any organisation today must be given the necessary tools, resources and external security consultancy opportunities if needed, in order to be able to best advise the Board and deploy the most appropriate up to date security measures.
There appears to be a real disconnect in the relationship between the Board and the CISO as these equally divided results show:
• 42% of respondents viewed cyber security as a corporate governance issue, but equally
• 42% did not see cyber security as a corporate governance issue.
Q. Following on from this then, how often should a Board be updated by their IT security experts?
A. Realistically, with today’s threats happening so much more frequently, in more sophisticated ways and more perniciously – this should be monthly at each main Board meeting. Only then can a proper relationship be formed, trust developed and a proper digest of the state of resilience, identification of any threats in the last 30 days (+ how dealt + lessons learned), plus forecasts from gap risk analysis to identify what if any additional security measures or software are reasonably required.
CISO and Senior Vice President at global investment and advisory firm Blackstone, Jay Leek, added: “I’m telling (the Boards) that it’s not possible to stop everything and that some threats are going to get in, and why it’s so important to be able to respond effectively. It’s very important just to get boards to understand that”. Let’s just hope for a ripple effect across the international business community.