May 17, 2018 By Christophe Veltsos 3 min read

PwC released its 2017 Annual Corporate Directors Survey at the end of last year where it polled over 850 board directors from a wide range of organizations across a dozen industries. Among the topics covered in the survey were the usual board-level concerns about executive compensation, diversity, shareholder activism and environmental, social and governance issues.

But there were also two key areas of interest for those concerned about cyber risks: strategy oversight and board oversight of IT and security. “Considering the pace of change, companies and boards need to be agile in addressing threats to executing their current strategy, as well as disruptions to their entire business model,” the survey stressed.

Do You Have Enough Cybersecurity Expertise?

Directors reported very high levels on skill sets related to financial expertise (85 percent), risk management expertise (65 percent) and industry expertise (62 percent). However, when it comes to cybersecurity expertise, only 16 percent of companies report having enough. Thirty-nine percent of boards currently have some expertise in cybersecurity in their ranks but admit to needing more — and one-third of boards currently have no cybersecurity expertise and are seeking it out.

Who is tasked with oversight? Exactly half of the boards have delegated that responsibility to the audit committee, while 30 percent of companies look at cybersecurity as a full-board issue. Another 16 percent have cybersecurity reviewed by a dedicated risk committee or an IT steering committee. When asked whether the board needs to allocate more time to specific topics, the top three items reported are cybersecurity (66 percent), strategic planning (64 percent) and IT and digital strategy (61 percent).

Board Oversight: IT and Security

Board directors are reporting spending more time and attention (with ample room for improvement) on cybersecurity. But are they happy with the information they are receiving? When asked to evaluate the presentation skills of various groups, chief information security officers (CISOs) came in last place with only a 19 percent rating of excellent.

Does the increased level of board engagement translate into breach readiness? While 42 percent of respondents reported being “very comfortable” that their company had “appropriately tested its resistance to cyberattacks,” another 45 percent were only moderately comfortable. Asked about whether the company had adequately tested its cyber incident response plan (CIRP), only 32 percent of respondents reported being very comfortable, 49 percent moderately comfortable and 19 percent clearly labeled their organization’s current efforts as “not sufficient.”

Board Oversight: Strategy

Overall, the board gives management high marks on involving the board on strategy development and communicating the strategy to board members — but the numbers point to a disconnect regarding the quality of the information provided. Twenty-two percent of directors said the quality of the information they received regarding emerging and disruptive technologies — and their impact on enterprise strategy — was “lacking.”

Similarly, 23 percent of boards were not happy with the quality of information shared regarding the strategic options that management considered but ultimately rejected.

Given that the role of the board is to contribute to strategy development; oversee management’s implementation of the chosen strategy; and monitor the alignment of risks, performance and strategy, directors want access to quality information to ensure they achieve organizational objectives. Directors are especially concerned that strategy will need to change in the coming years due to factors like the speed of technological change and cyberthreats.

The Trouble With ‘Don’t Have It, Don’t Need It’

Obviously, IT and cybersecurity aren’t the only concerns on board directors’ minds. However, it is troubling to see that 10 percent of respondents indicated they didn’t have any IT and digital expertise on the board — and didn’t need it. In the same vein, as many as 4 percent of respondents acknowledged that cybersecurity was currently receiving no board oversight at all.

The survey cautions boards to be adequately engaged with the oversight of cybersecurity, noting that cybersecurity is an issue that affects the entire company, calling it a “pervasive risk” that needs the attention of the full board. It also recommends that each director understand the level of preparation of the company to detect, respond to and recover from a cybersecurity event.

Board directors — all the way down to the CISO — should follow these recommendations:

Understanding the overall state of strategic oversight and board oversight of IT and security across a number of industries could help you identify where your organization’s focus should be.

Listen to the podcast: Take Back Control of Your Cybersecurity Now

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today