Board members should make CISOs their strategic partners

Proofpoint released their Cybersecurity: The 2022 Board Perspective report, which explores board of directors’ perceptions about their key challenges and risks.

Cybersecurity is dominant on their agendas. Seventy-seven percent of participants agree cybersecurity is a top priority for their board and 76% discuss the topic at least monthly. Consequently, 75% believe their boards clearly understand the systemic risks their organizations face and 76% assert they’ve made adequate investments in cybersecurity.

But this optimism may be misplaced. Our report found that 65% of board members believe their organization is at risk of material cyber attack in the next 12 months. 47% feel their organization is unprepared to cope with a targeted attack. And only two-thirds of board members view human error as their biggest cyber vulnerability, despite the World Economic Forum finding that this risk leads to 95% of all cybersecurity incidents.

The report examines global, third-party survey responses from 600 board members at organizations with 5,000 or more employees from different industries. In August 2022, 50 board directors were interviewed in each market across 12 countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico.

“It is encouraging to see that cybersecurity is finally a focus of conversations across boardrooms. However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organizations for material cyber attacks,” said Lucia Milică, vice president and global resident CISO at Proofpoint.

“One of the ways boards can boost preparedness is by getting on the same page with their CISOs. The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organizational success.”

Board of directors’ cybersecurity perceptions

There is a disconnect between the boardroom and CISOs when evaluating the risk posed by today’s sophisticated cybercriminals: 65% of board members believe that their organization is at risk of material cyber attack in the next 12 months, compared to 48% of CISOs.

Board members and CISOs have similar concerns about the threats they face: board members ranked email fraud/business email compromise (BEC) as their top concern (41%), followed by cloud account compromise (37%), and ransomware (32%). While email fraud/BEC and cloud account compromise are also among top concerns for CISOs, they view insiders as their top threat, whereas board members rate insiders as a lower concern.

Awareness and funding do not translate into preparedness: although 75% of those surveyed feel their board understands their organization’s systemic risk, 76% think they have invested adequately in cybersecurity, 75% believe their data is adequately protected, and 76% discuss cybersecurity at least monthly, these efforts appear insufficient—47% still view their organization as unprepared to cope with a cyber attack in the next 12 months.

Board members disagree with CISOs about the most important consequences of a cyber incident: internal data becoming public is at the top of the list of concerns for boards (37%), followed closely by reputational damage (34%) and revenue loss (33%). These concerns are in sharp contrast with those of CISOs, who are more worried about significant downtime, disruption of operations, and impact on business valuations.

High employee awareness doesn’t protect against human error: although 76% of those surveyed believe their employees understand their role in protecting the organization against threats, 67% of board members believe human error is their biggest cyber vulnerability.

The relationship between boards and CISOs has room for improvement: there is a sharp variance in perspective between board members and CISOs: while 69% of board members report seeing eye-to-eye with their CISO, only 51% of CISOs feel the same.

Boards are warming up to regulatory oversight: 80% of respondents to the survey agree that organizations should be required to report a material cyber attack to regulators within a reasonable timeframe and only 6% disagree.

“Board members play a key role in their organizations’ cybersecurity culture and cybersecurity posture. Board members have fiduciary and oversight responsibility for their organizations; therefore, they must understand the cybersecurity threats their organizations face and the strategy their organizations take to be cyber resilient,” said Dr. Keri Pearlson, executive director at Cybersecurity at MIT Sloan (CAMS).

“Board members need to look for ways to make CISOs their strategic partners. With cybersecurity risk front and center on boardroom agendas, a better alignment of CISOs’ and boards’ cybersecurity priorities will only serve to improve their organizations’ protection and resilience.”