There’s no shortage of arguments that cybersecurity needs to be aligned with the needs of the business, or that security is now a “boardroom issue.” And it seems that a new report or study is issued every day that states that boards of directors are more involved with their organizations’ cybersecurity efforts than ever before.
That’s the established narrative, but is it so? Our recent 2015 US State of Cybercrime Survey of more than 500 respondents, including US business executives, law enforcement services, and government agencies, throws a bit of cold water on those findings
The cybercrime survey found that organizations come in three variants when it comes to board alignment: horrendous, adequate, and excellent. First the horrendous and adequate. Nearly a third, 28 percent, of respondents said their security leaders make no presentations at all to the board, while one-in-four, or 26 percent of CISOs, or their organization’s equivalent, provides an annual presentation to their board of directors.
That leaves about 30 percent of respondents who said their senior security executives stay in regular contact with the board by providing quarterly cybersecurity presentations.
Not surprisingly, CISOs from larger organizations are more likely to make a quarterly board presentation than smaller organizations. One-third of survey respondents at small enterprises reported that they don’t ever advise the board on cybersecurity efforts. Still, a shockingly high 18 percent of security leaders at larger enterprises don’t either.
None of this is especially good news for cybersecurity. Many security experts would agree that boards of directors must be part of the information security decision making chain, and that cybersecurity should be viewed as a corporate-wide risk – not just a matter of IT risk to be dealt with by the IT department. Unfortunately, that’s precisely how many organizations view cybersecurity.
In fact, only 42 percent of respondents viewed cybersecurity as a corporate governance issue, while 42 percent do not. When it comes to the board relationship with cybersecurity, the results are divided: 30 percent on one end state that no board members or committees are actively engaged in cybersecurity, while at the other end of the spectrum, we have 25 percent of boards that are involved.
Unfortunately, at many organizations, security feels the disconnect. While business leaders talk about how important cybersecurity is, security laments that it’s not getting the tools and the resources needed to adequately secure the organization.
Jay Leek, SVP and chief information security officer at Blackstone, has spent considerable time talking to boards of directors about security.
Sign up for Computerworld eNewsletters.