73% of board members believe they face the risk of a major cyber attack in the next 12 months, a notable increase from 65% in 2022, according to Proofpoint.
Likewise, 53% feel unprepared to cope with a targeted attack, up from 47% the previous year.
The emerging risk of AI tools
This year-over-year change may reflect the ongoing volatility of the threat landscape, including lingering geopolitical tensions and rises in disruptive ransomware and supply chain attacks. The emerging risk of artificial intelligence (AI) tools such as ChatGPT may also be contributing to these sentiments: 59% of board members believe generative AI is a security risk for their organization.
Board members have those concerns even though 73% view cybersecurity as a priority, 72% believe their board clearly understands the cyber risks they face, and 70% believe they have adequately invested in cybersecurity.
“The newfound alignment between board members and their CISOs on cyber risk and preparedness is a positive sign that the two sides are working closer together and making progress. However, this growing alliance hasn’t yet delivered significant changes in cybersecurity posture, despite boards feeling good about the time and resources they’re investing to combat this risk,” said Ryan Kalember, EVP of cybersecurity strategy at Proofpoint.
“Our findings show that it remains a challenge to translate increased awareness into effective cybersecurity strategies that protect people and data. Growing even stronger board-CISO relationships will be instrumental in the months ahead so directors and security leaders can have more meaningful conversations and ensure they’re investing in the right priorities,” added Kalember.
Awareness and funding do not translate into preparedness
With tools like ChatGPT getting much of the spotlight in recent months, 59% of those surveyed view this emerging technology as a security risk to their organization. 73% of those surveyed feel their organization is at risk of a material cyber attack, compared to 65% in 2022.
73% of directors agree that cybersecurity is a priority for their board, 72% believe their board clearly understands the cyber risks they face, 70% think they have adequately invested in cybersecurity, and 84% believe their cybersecurity budget will increase over the next 12 months; however, these efforts are not leading to better preparedness—53% still view their organization as unprepared to cope with a cyber attack in the next 12 months.
Board members ranked malware as their top concern (40%), followed by insider threat (36%) and cloud account compromise (36%). This is only slightly different from CISOs’ top concerns of email fraud/BEC (33%), insider threat (30%), and cloud account compromise (29%).
Personal liability is a concern for boards and CISOs alike
While most directors (63%) and CISOs (60%) agree that human error is their biggest risk, board members are much more confident in their organization’s ability to protect data, 75% of directors share this view, compared to only 60% of CISOs. 37% of board directors said their organization’s cybersecurity would benefit from a bigger budget, 35% would like to see more cyber resources, and 35% would like better threat intelligence.
53% of directors say they interact with security leaders regularly. While an increase from last year’s 47%, it still leaves nearly half of all boardrooms without strong CISO-C-suite relationships. Board members and CISOs are generally closely aligned when they do interact, however, with 65% of board members saying they see eye-to-eye with their CISO and 62% of CISOs agreeing.
72% of board directors expressed concern about personal liability in the wake of a cybersecurity incident at their own organization, and 62% of CISOs agree.
“Board members are taking cybersecurity matters seriously, demonstrating they have no illusions about human risk and the impact cyber threats pose to an organization’s bottom line. They are making strides in their relationships with security leaders, understanding that strong board-CISO partnerships are more critical than ever,” said Kalember. “But this is not a time to grow complacent. Boards must continue to invest heavily in improving preparedness and organizational resilience. This means pushing for even deeper, more productive conversations with CISOs to ensure directors are making informed, strategic decisions that drive positive outcomes.”
Overall, CISOs and board members are working much more closely than ever before. This progress offers hope that boardroom perspectives on cybersecurity are shifting from a necessary compliance task to an enabler that can help to shape business strategy.
The strengthening of this relationship also appears to be boosting boardroom confidence around cybersecurity. Despite concerns about impending attacks and lack of preparedness, board members say they feel comfortable and in control of their cybersecurity posture.