PwC released its 2017 Annual Corporate Directors Survey at the end of last year where it polled over 850 board directors from a wide range of organizations across a dozen industries. Among the topics covered in the survey were the usual board-level concerns about executive compensation, diversity, shareholder activism and environmental, social and governance issues.

But there were also two key areas of interest for those concerned about cyber risks: strategy oversight and board oversight of IT and security. “Considering the pace of change, companies and boards need to be agile in addressing threats to executing their current strategy, as well as disruptions to their entire business model,” the survey stressed.

Do You Have Enough Cybersecurity Expertise?

Directors reported very high levels on skill sets related to financial expertise (85 percent), risk management expertise (65 percent) and industry expertise (62 percent). However, when it comes to cybersecurity expertise, only 16 percent of companies report having enough. Thirty-nine percent of boards currently have some expertise in cybersecurity in their ranks but admit to needing more — and one-third of boards currently have no cybersecurity expertise and are seeking it out.

Who is tasked with oversight? Exactly half of the boards have delegated that responsibility to the audit committee, while 30 percent of companies look at cybersecurity as a full-board issue. Another 16 percent have cybersecurity reviewed by a dedicated risk committee or an IT steering committee. When asked whether the board needs to allocate more time to specific topics, the top three items reported are cybersecurity (66 percent), strategic planning (64 percent) and IT and digital strategy (61 percent).

Board Oversight: IT and Security

Board directors are reporting spending more time and attention (with ample room for improvement) on cybersecurity. But are they happy with the information they are receiving? When asked to evaluate the presentation skills of various groups, chief information security officers (CISOs) came in last place with only a 19 percent rating of excellent.

Does the increased level of board engagement translate into breach readiness? While 42 percent of respondents reported being “very comfortable” that their company had “appropriately tested its resistance to cyberattacks,” another 45 percent were only moderately comfortable. Asked about whether the company had adequately tested its cyber incident response plan (CIRP), only 32 percent of respondents reported being very comfortable, 49 percent moderately comfortable and 19 percent clearly labeled their organization’s current efforts as “not sufficient.”

Board Oversight: Strategy

Overall, the board gives management high marks on involving the board on strategy development and communicating the strategy to board members — but the numbers point to a disconnect regarding the quality of the information provided. Twenty-two percent of directors said the quality of the information they received regarding emerging and disruptive technologies — and their impact on enterprise strategy — was “lacking.”

Similarly, 23 percent of boards were not happy with the quality of information shared regarding the strategic options that management considered but ultimately rejected.

Given that the role of the board is to contribute to strategy development; oversee management’s implementation of the chosen strategy; and monitor the alignment of risks, performance and strategy, directors want access to quality information to ensure they achieve organizational objectives. Directors are especially concerned that strategy will need to change in the coming years due to factors like the speed of technological change and cyberthreats.

The Trouble With ‘Don’t Have It, Don’t Need It’

Obviously, IT and cybersecurity aren’t the only concerns on board directors’ minds. However, it is troubling to see that 10 percent of respondents indicated they didn’t have any IT and digital expertise on the board — and didn’t need it. In the same vein, as many as 4 percent of respondents acknowledged that cybersecurity was currently receiving no board oversight at all.

The survey cautions boards to be adequately engaged with the oversight of cybersecurity, noting that cybersecurity is an issue that affects the entire company, calling it a “pervasive risk” that needs the attention of the full board. It also recommends that each director understand the level of preparation of the company to detect, respond to and recover from a cybersecurity event.

Board directors — all the way down to the CISO — should follow these recommendations:

Understanding the overall state of strategic oversight and board oversight of IT and security across a number of industries could help you identify where your organization’s focus should be.

Listen to the podcast: Take Back Control of Your Cybersecurity Now

More from Risk Management

Is It Time to Start Hiding Your Work Emails?

In this digital age, it is increasingly important for businesses to be aware of their online presence and data security. Many companies have already implemented measures such as two-factor authentication and strong password policies – but there is still a great deal of exposure regarding email visibility. It should come as no surprise that cyber criminals are always looking for ways to gain access to sensitive information. Unfortunately, emails are a particularly easy target as many businesses do not encrypt…

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Cyber Storm Predicted at the 2023 World Economic Forum

According to the Global Cybersecurity Outlook 2023, 93% of cybersecurity leaders and 86% of business leaders think a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years. Additionally, 43% of organizational leaders think it is likely that a cyberattack will affect their organization severely in the next two years. With cybersecurity concerns on everyone’s mind, the topic received top billing at the recent World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. At the meeting, Matthew…