Given the number of security breaches making headlines these days, cybersecurity professionals might legitimately be wondering if anybody is really listening to them. The news on that front is decidedly mixed.
On the plus side a survey of over 450 companies conducted by the Economist Intelligence Unit (EIU) on behalf of Willis Towers Watson, a global advisory, broking and solutions company, finds almost 40 percent of business executives surveyed felt that the board should oversee cybersecurity, compared with 24 percent who felt it should be the role of a specialized cybersecurity committee. A small portion of respondents surveyed believed it should be the responsibility of audit, risk or some other subgroup.
However, the reason boards need to become more involved in cybersecurity might give cybersecurity professionals cause for pause. Only eight percent of executives say that their chief information security officer (CISO) or equivalent performs above average in communicating the financial, workforce, reputational or personal consequences of cyber threats. Less than a quarter of executives say that their cyber resilience board briefings are “well above average” and under 15 percent gave their CISOs or equivalent a top rating from a scale of one to ten.
Of course, it’s not clear whether the issue is how the cybersecurity message is being delivered or whether the business executives it is being delivered to simply don’t have enough knowledge to comprehend the information being shared. Only 30 percent of executives believe they have enough directors that understand cyber risks and only 23 percent are actively recruiting directors who understand those risks.
The one place where there is some unanimity is on the need for cybersecurity professionals to work more closely with human resource (HR) professionals. Two-thirds of companies surveyed believe HR and Information Security partnership is key. When asked whom takes a lead role in developing employee-related cyber risk policies, 54 percent said HR leads with information security advising, and 28 percent said information security leads with HR advising. The one thing that is clear is more emphasis is being placed one end-user training, which arguably is now the first line of cybersecurity defense.
The chances that boards are going to become savvier about cybersecurity any time soon is low. It’s always going to be easier for cybersecurity professionals to acquire business acumen. That doesn’t mean cybersecurity professionals needs to acquire a Master’s in Business Administration (MBA). But it does mean cybersecurity professionals need to be able to clearly articulate the real risks to the business. Overstating that risk is counterproductive. Business executives understand that every business decision involves risk. What they want from cybersecurity professionals is a reasonable assessment of the business risks the organization faces. If the proverbial cybersecurity sky is always falling, business executives are going to turn not only a deaf ear but also a blind eye.
Clearly what we have here is a classic failure to communicate. Cybersecurity professionals tend to assume the rest of the business understands the nature of the threat. In truth, most business executives are aware there is a potential threat. But to what degree cybersecurity attacks represent an existential threat to the business remains anybody’s guess.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.