There has been a dramatic increase in the attention that boards and executives are paying to cybersecurity risk management, according to a new global study developed by the Georgia Tech Information Security Center (GTISC).
The survey results indicate that, since 2008, boards and executives have been making concerted efforts to address cyber risks. Highlights include:
- Cybersecurity has risen to become one of the top boardroom issues, with nearly two-thirds (63%) of the survey respondents actively addressing computer and information security, up from 33 percent in 2012.
- Most boards – 53 percent – have established a Risk Committee separate from the Audit Committee, up from 8 percent in 2008, which now has overtaken responsibility for oversight of cyber risk from the Audit Committee.
- Boards today are paying a great deal more attention to cyber insurance coverage – 48 percent of the respondents said their boards were focusing on cyber insurance, up from 28 percent in 2012.
- Boards also are placing a much higher value on risk and security experience when recruiting board directors – 59 percent of respondents said their board had a director with risk expertise, and nearly a quarter (23%) had one with cybersecurity expertise.
“It’s excellent to see that corporate executives are dramatically increasing efforts to manage cyber risks. Establishing an appropriate dialogue between technical experts and the executives who can prioritize resources is essential to effectively secure an organization. However, this increased attention must be coupled with appropriate action to apply the right combination of people, technology and processes to secure computing environments; this starts with establishing a breach prevention mindset. This study provides a basis for organizations around the globe to start having more discussions on just how to achieve this,” said Ryan Gillis, vice president of Cybersecurity Strategy and Global Policy at Palo Alto Networks.
The report compares survey results across critical infrastructure sectors and geographic regions and indicates that all industry sectors increased attention to cyber issues at the board and executive levels. Key findings include:
- The financial sector far exceeds other industry sectors with 86 percent having a board Risk Committee separate from the Audit Committee, followed by the IT/Telecom sector at 43 percent.
- North American and European boards are paying significantly more attention to cyber risks (85% and 58% respectively, up from 40% and 19%), while Asian boards showed no increase in attention to these issues (38% in 2012 and 2015).
- North American board attention to cyber insurance doubled from 2012 (70% in 2015 vs. 35% in 2012), European boards had a 26 percent increase, whereas Asian boards showed a 3 percent increase.
- Most Asian boards (98%) have a Risk Committee, whereas only 43 percent of European boards and 42 percent of North American boards have one.
- The industrial and financial sectors showed the largest increase in attention to cyber issues, and all sectors showed marked improvements in engaging in best practice activities to manage cyber risks.
There is still room for improvement; the study shows key challenges remain in some critical areas:
- It is still common for CISOs to report to CIOs (40% do), even though that reporting structure can create segregation of duties issues.
- While 63 percent of respondents said their board regularly or occasionally reviewed their annual security program, only 46 percent said they had participated in a test scenario of the plan.
- Boards need to ensure their organization’s security teams have the resources necessary to protect their digital assets; only 50 percent of the respondent boards are reviewing security budgets.
The survey polled board directors and executives from Forbes Global 2000 companies, and the report compares survey results from three previous surveys conducted in 2008, 2010, and 2012.