For years, experts have said that cybersecurity threats need to be embraced at the board level, even going so far as to say it's a panacea for the future of data security. Now, a new report sheds light on the issue, suggesting that organizational security leaders often downplay such risks at board meetings.
Reports, The report, published by Trend Micro with support from Sapio Research, finds that while board members are aware of cybercrime and business risks, CISOs often “fail to get the message across to the board,” which has serious implications for achieving long-term strategic goals for cyber resilience, the report said.
The survey of more than 2,600 IT leaders responsible for cybersecurity noted that 79% of respondents felt pressured by their boards to downplay the seriousness of cyber risks, and 80% actually believe that only a major data breach would be enough motivation for board members to take tougher action.
CISOs are described as repetitive, vocal and overly negative
In fact, the report states that security leaders who push back are perceived by their respective boards as “repetitive,” “nagging” and “overly negative.” And of cybersecurity leaders who felt pressured by their boards, only 43% said they were both nagging and repetitive, and 42% said they were perceived as overly negative.
“More than half of security leaders say cyber is their top business risk, but they're unable to communicate that risk in terms the board can understand. As a result, they're often ignored, downplayed, or accused of nagging,” Bharat Mistry, technical director at Trend Micro, said in a statement. Unless they can better align with senior management, companies' cyber resilience will be compromised, and the first step is to establish a single source of truth across the entire attack surface, he added.
Executive actions are often disjointed and lack strategic coherence
The report found that just over half (54%) of respondents are confident their company's C-suite has a full understanding of cyber risks within their organisation, while 34% feel cybersecurity is treated as part of IT rather than a business risk. Additionally, 80% believe only a major breach would prompt the board to take decisive action.
“Unfortunately, executive actions and investments driven by one-off events like these end up being fragmented and lacking strategic alignment. This can lead to the purchase of point products that fail to address the root causes of the breach or incident, often resulting in additional cost and complexity headaches down the line,” the statement said.
Trend Micro warned about this trend in 2020.
actual, Previous report published in November 2020Trend Micro noted that 69% of business and technology leaders believe that cybersecurity is entirely or mostly a technology area that has little or no relevance to business, while another 11% equate cybersecurity with regulatory compliance.
Additionally, many organizations rate themselves as sufficient or poor in areas such as executive cybersecurity commitment and treating cybersecurity as a critical component of business strategy. Overall, the survey found that most organizations are not striving for “good security” but are settling for “good enough” security.
Such disconnects cannot bring about cyber resilience
Cybersecurity experts say this disconnect has serious implications for organizations, especially when it comes to long-term goals around data safety and cyber resilience. “The reality is that boards have little time for CISO-delivered PowerPoint presentations stuffed with industry jargon and irrelevant metrics,” the security firm said.
According to the report, boards are looking for insight into questions such as, “How does cyber support our business objectives? What is the return on investment (ROI) of our cyber investments? What is the impact of our latest digital transformation initiatives on cyber risk?” Boards are not interested in siloing cybersecurity programs, but rather asking strategic questions such as, “How secure is our company? How does our security program compare to those of our peers?”
Healthcare and financial services companies face biggest threats
Recently, another report based on a survey conducted by data collection firm SOAX revealed that the healthcare industry is the most vulnerable sector in the U.S. The study analyzed Identity Theft Resource Center data from 2020 to 2023 and ranked industries based on the number of reported incidents in 2023.
Other sectors on the list include financial services, professional services, manufacturing, education, technology, retail, nonprofits, transportation and government.
“The study predicts a sharp increase in cyber incidents across all US industries in 2023, with particular concern for the healthcare and financial services industries, which store vast amounts of sensitive information and are attractive targets for cybercriminals,” said Stepan Solov'ev, CEO and co-founder of SOAX.