When It Comes to Cyber Risks, A Confident Board Isn’t Always a Good Thing

In December 2018, the National Association of Corporate Directors (NACD) published its “2018–2019 Public Company Governance Survey” report, a key barometer of economic and governance concerns from the perspective of board directors in which cyber risks feature once again. To compile the report, the NACD surveyed more than 500 board directors from both large and small public companies.

Cybersecurity Threats Rank High Among Top Concerns

If it seems like board directors have been paying more attention to security, the governance survey confirms it: Cybersecurity threats ranked third in the list of top concerns for the next 12 months, coming in just behind change in regulatory climate and the chance of an economic slowdown. Cybersecurity isn’t the only data- or technology-related issue concerning boards, with pace of technological change coming in sixth place.

Board directors are also keenly aware that security and IT don’t happen in a vacuum — and that they need to be able to attract and retain talented individuals to work in those areas, which is represented by the seventh top concern: key talent deficits. Directors know that finding qualified talent to help address the key issues facing their organizations today is a challenge, which has led some companies to think outside the box with a new collar approach.

Directors are also fully aware of the double-edged nature of technological change. Disruption can bring about a competitive edge, but failure to properly secure or handle such disruption can also lead to significant risks. Nearly 47 percent of directors listed artificial intelligence (AI) as the top such disrupter, followed by 30 percent of respondents for the internet of things (IoT). Automation, mobile computing and the cloud rounded up the top five tech-based disruptions, with most of these also seen as enablers if handled properly.

How can chief information security officers (CISOs) leverage these concerns? By paying attention to what their top leadership cares about, and working to frame their resource constraints, be they people, money, technology or processes, in terms of their impact on the business.

Board Directors Are Feeling Increasingly Confident About Cyber Risk Management

While directors have been concerned with cybersecurity for a number of years, we are finally seeing reports that they have also made progress toward improving their understanding of cyber risks and how those risks can impact their organization. Well over half of board directors (58 percent) reported that, collectively, their “board’s understanding of cyber risks is strong enough to provide effective oversight.” Individually, 52 percent of directors also report this level of confidence.

Where does this increased confidence come from? It may stem from the fact that nearly 50 percent of board directors ranked the quality of cyber risk information they receive from management as “much higher” than the information they were receiving two years ago.

For CISOs, this provides an opportunity for improvement, both in terms of the quality of cyber risk information reported to the board and the opportunities to continue educating the board on key cyber issues and trends — not in technical terms, but how those issues might impact the organization’s objectives, affect financial performance or signal the need to realign strategy to a new digital landscape.

But Are They Being Overly Confident ?

Can this progress mask a troublesome trend? Can too much of a good thing be a bad thing? While the NACD survey indicates that board directors are becoming more cyber aware, it also revealed some troubling developments: When board directors were asked about the top 10 areas in need of improvement for the next 12 months, oversight of cybersecurity ranked last with just 54 percent of the votes. Boards already spend very little time engaging on issues such as cyber risks and technological disruption. If they perceive things to be under control or not in need of improvement, they are even less likely to devote any time to those issues, which could lead to potentially disastrous consequences.

Another somewhat troubling indicator is that board directors are now a lot more confident that their company is secured against a cyberattack, with 50 percent in agreement or strong agreement, compared to just 37 percent last year. Unless this confidence is grounded in reality — or at least in frequent assessments, audits, and actual tests of an organization’s ability to detect, respond and recover to cyber incidents — boards might be setting themselves, and their organizations, up for a rude awakening.

The best CISOs work diligently to establish a strong rapport with top leadership and their board, and a key part of that relationship should be to enable honest conversations around the strength of our controls and metrics, and how well we know what we think we know. At organizations with an internal audit (IA) department, CISOs should work with IA to give the board the best available picture of where it stands in terms of cyber risks and resilience. Smaller organizations should consider increasing the value of their next external audit by ensuring that key IT systems are subjected to a rigorous penetration testing regime.

Other Takeaways for CISOs

While the NACD survey is written specifically with board directors in mind, CISOs can benefit from it as well by increasing their understanding of board-level concerns and how boards spend their time. CISOs should be ready to step up and provide regular educational updates to their board. In its guidance to boards, the report encourages directors to “seek opportunities to ensure their knowledge is up to date” and for CISOs to regularly brief them on “the evolving cyber threat landscape, on the organization’s evolving response, and on incidents involving industry peers.” The report also advises boards be ready to tap external cyber risk experts to provide additional perspectives.

Looking at which governance issues boards spend time on each quarter shows that directors are more engaged in risk management and discussing technological disruption during the second and third quarter meetings compared to the rest of the year. CISOs looking to gain additional traction with boards should also understand which issues directors discuss with external stakeholders such as institutional investors. Of possible relevance to cyber risks, 45 percent of boards discussed long-term strategy, and 18 percent discussed oversight issues including external audits, internal audits and financial controls. By aligning the information CISOs provide to boards with the issues boards are already discussing with investors, CISOs are more likely to find a receptive ear.

Overall, the NACD report provides some great insight about the many concerns and issues facing board directors in the coming year. The good news is that cyber risks are on their radar. The bad news is that this issue still gets just a sliver of attention, and directors might be overly confident that their organizations can weather whatever cybersecurity storms come their way.

Subscribe to the SecurityIntelligence Podcast

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...