May 17, 2018 By Christophe Veltsos 3 min read

PwC released its 2017 Annual Corporate Directors Survey at the end of last year where it polled over 850 board directors from a wide range of organizations across a dozen industries. Among the topics covered in the survey were the usual board-level concerns about executive compensation, diversity, shareholder activism and environmental, social and governance issues.

But there were also two key areas of interest for those concerned about cyber risks: strategy oversight and board oversight of IT and security. “Considering the pace of change, companies and boards need to be agile in addressing threats to executing their current strategy, as well as disruptions to their entire business model,” the survey stressed.

Do You Have Enough Cybersecurity Expertise?

Directors reported very high levels on skill sets related to financial expertise (85 percent), risk management expertise (65 percent) and industry expertise (62 percent). However, when it comes to cybersecurity expertise, only 16 percent of companies report having enough. Thirty-nine percent of boards currently have some expertise in cybersecurity in their ranks but admit to needing more — and one-third of boards currently have no cybersecurity expertise and are seeking it out.

Who is tasked with oversight? Exactly half of the boards have delegated that responsibility to the audit committee, while 30 percent of companies look at cybersecurity as a full-board issue. Another 16 percent have cybersecurity reviewed by a dedicated risk committee or an IT steering committee. When asked whether the board needs to allocate more time to specific topics, the top three items reported are cybersecurity (66 percent), strategic planning (64 percent) and IT and digital strategy (61 percent).

Board Oversight: IT and Security

Board directors are reporting spending more time and attention (with ample room for improvement) on cybersecurity. But are they happy with the information they are receiving? When asked to evaluate the presentation skills of various groups, chief information security officers (CISOs) came in last place with only a 19 percent rating of excellent.

Does the increased level of board engagement translate into breach readiness? While 42 percent of respondents reported being “very comfortable” that their company had “appropriately tested its resistance to cyberattacks,” another 45 percent were only moderately comfortable. Asked about whether the company had adequately tested its cyber incident response plan (CIRP), only 32 percent of respondents reported being very comfortable, 49 percent moderately comfortable and 19 percent clearly labeled their organization’s current efforts as “not sufficient.”

Board Oversight: Strategy

Overall, the board gives management high marks on involving the board on strategy development and communicating the strategy to board members — but the numbers point to a disconnect regarding the quality of the information provided. Twenty-two percent of directors said the quality of the information they received regarding emerging and disruptive technologies — and their impact on enterprise strategy — was “lacking.”

Similarly, 23 percent of boards were not happy with the quality of information shared regarding the strategic options that management considered but ultimately rejected.

Given that the role of the board is to contribute to strategy development; oversee management’s implementation of the chosen strategy; and monitor the alignment of risks, performance and strategy, directors want access to quality information to ensure they achieve organizational objectives. Directors are especially concerned that strategy will need to change in the coming years due to factors like the speed of technological change and cyberthreats.

The Trouble With ‘Don’t Have It, Don’t Need It’

Obviously, IT and cybersecurity aren’t the only concerns on board directors’ minds. However, it is troubling to see that 10 percent of respondents indicated they didn’t have any IT and digital expertise on the board — and didn’t need it. In the same vein, as many as 4 percent of respondents acknowledged that cybersecurity was currently receiving no board oversight at all.

The survey cautions boards to be adequately engaged with the oversight of cybersecurity, noting that cybersecurity is an issue that affects the entire company, calling it a “pervasive risk” that needs the attention of the full board. It also recommends that each director understand the level of preparation of the company to detect, respond to and recover from a cybersecurity event.

Board directors — all the way down to the CISO — should follow these recommendations:

Understanding the overall state of strategic oversight and board oversight of IT and security across a number of industries could help you identify where your organization’s focus should be.

Listen to the podcast: Take Back Control of Your Cybersecurity Now

More from Risk Management

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today