By Jessica Tasman-Jones
This article is brought to you by Agenda, an FT Specialist publication that focuses on corporate boards
Boards are at odds with their chief information security officers on cyber security threats, according to research.
Globally, 65 per cent of board members believed that their organisation could face a cyber attack in the next year, compared with 48 per cent of CISOs, according to a survey by MIT Sloan and Proofpoint, a California cybersecurity company. There were, however, marked differences by country.
Boards are highly aware of media reports about cyber security breaches, such as companies being taken offline by ransomware or customer data leaks, says Andrew Rose, CISO of Europe, Middle East and Africa at Proofpoint.
Top of the list of concerns in the survey was internal data becoming public, followed by reputational damage and then revenue loss.
CISOs, meanwhile, feared significant downtime, disruption of operations and the effect of breaches on business valuations, according to the report.
Nearly 85 per cent of UK board members said they saw eye to eye with their CISO on security issues, but only 65 per cent of CISOs felt the same.
Perspectives differ because boards view cyber risks in the context of other risks, whereas CISOs are focused on their field of expertise, says Louise Barber, a cyber security expert at PA Consulting.
The report points to the board’s role in protecting the value of shareholders’ investments in the face of reputational damage as another reason why views differ. CISOs are more concerned with operational issues.
Companies that have already been attacked tend to be better prepared than those which have not.
Rose advises boards to take precautions. “Running regular breach rehearsals with suppliers, customers, regulators and experts can provide a level of this confidence without having to experience the painful event,” he says.
“It may be that more boards need to insist that some of their time is focused on such events.”
Appointing the CISO to the board is another sensible precaution, says Lucia Milica, vice-president and global resident CISO at Proofpoint.
CISOs often report to chief information officers, chief technology officers or chief risk officers. This can restrict their influence, Barber says.
At many companies, CISOs report to their board once a year, says Keri Pearlson, executive director of Cybersecurity at MIT Sloan.
“That’s not enough for the CISO to develop relationships with board members,” says Pearlson. “It’s not really enough for the board to do adequate oversight given the rate of change and the bombardment of cyberattacks most companies experience.”
Boards should ask their CISO questions, discuss and debate cybersecurity breaches they read about in the media, and keep cybersecurity on their agenda, Milica says.
This article is based on a story written by Frederic Lee for Agenda.