There’s a clear lack of accountability, especially on the board and among C-suite executives, and a lack of confidence in determining the efficacy of security technologies.
AttackIQ and Ponemon Institute surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organizations’ IT security strategy, tactics, and technology investments.
“Enterprise culture is formed at the top. If enterprise leaders are not actively engaged in ensuring a strong cybersecurity posture, it sends the message that cybersecurity is not a mission critical issue,” said Larry Ponemon, chairman of Ponemon Institute.
“The board of directors and C-suite typically come under fire when their organization suffers a data breach or other security incident, and therefore must be involved in enforcing a proactive approach to identifying and remediating security gaps.
“While most companies have an executive tasked with accurately determining the efficacy of their cybersecurity strategy, they need to be communicating these findings to senior leaders and the board on a regular basis.”
According to the findings, the board of directors and senior leadership are not actively engaged in ensuring the effectiveness of their organization’s security strategy. Key data points include:
- 63 percent of survey respondents say their IT security leadership does not report to the board on a regular basis, and 40 percent say they don’t report to the board at all
- 14 percent of respondents say their IT security leadership only reports to the board following a security incident
- Only 28 percent of respondents say the board and CEO determines and/or approves the acceptable level of cyber risk for the organization
- Only 21 percent of respondents say their board and CEO require cybersecurity due diligence in a merger and acquisition process, a critical step to minimizing the potential risk
Most organizations do not take a proactive approach to security and acknowledge that their IT security infrastructure has gaps in coverage, allowing attackers to penetrate defenses.
They are in need of better monitoring tools that will improve their ability to communicate the effectiveness of their security infrastructure to the board and C-suite. Key data points include:
- 69 percent of respondents say their organization’s security approach is reactive and incident driven
- 63 percent of respondents say their IT security leadership needs better monitoring tools to improve their ability to communicate the effectiveness of security infrastructure and potential gaps to the C-suite and board
- 56 percent of respondents say their IT security infrastructure has gaps in coverage that allow attackers to penetrate its defenses
Most organizations do not have a mature program for measuring their IT security posture, and even among those that do, many do not report these findings to the board. Respondents cited a lack of appropriate monitoring tools that generate adequate and accurate information on IT security posture as a primary reason for failing to report to the board.
Key data points include:
- Only 24 percent of respondents say they have a mature measurement and metrics program, and 30 percent say they have a partial metrics program
- 40 percent of respondents say they do not quantify and track the company’s IT security posture at all
- Of the respondents who have either a mature or partial measurement program, only 39 percent report the findings to the board
“Data breaches and other security incidents continue to plague enterprises, shining a light on the need for companies to shift to a proactive approach to ensuring a strong security posture. Senior leaders, including CEOs and board members, need accurate and comprehensive data in order to determine acceptable cyber risk levels and ensure their organization is positioned to prevent disruption to critical infrastructure,” said Brett Galloway, CEO of AttackIQ.