Signs a Board Thinks Security is Better than It Is.

Uploaded on 2015-12-07 in TECHNOLOGY--Resilience, FREE TO VIEW

While most boards of directors today consider cybersecurity risks a top concern for the companies they help govern, their true awareness of the threats may not be as good as they think, according to recent results of a Ponemon Institute survey that compared directors' perceptions to IT security executives. 

The study showed that there's a gap between how well the boards believe their charges are doing with security and the perception by security personnel in the trenches working to protect company assets. Here are some indications from the survey that boards of directors may underestimate the cybersecurity risks facing their organisations.

Even though almost three-quarters of directors report that they're charged with overseeing risk assessments and audits at their companies, they may not have the baseline knowledge necessary to really decipher information and capably lead based on these assessments. 

The survey showed that only 33 percent of board members consider themselves knowledgeable or very knowledgeable about cybersecurity. It's not surprising, then that while 70 percent of board members say they understand the security risks their organizations face, just 43 percent of IT security personnel believe their boards truly understand the cyber risk landscape.

Overconfidence Endemic To Boards

The lack of knowledge allows many directors to maintain somewhat Pollyanna-ish views about their organisation's security readiness. Approximately 59 percent of board members rate their cybersecurity governance practices as very effective. At the same time, only 18 percent of security pros also believe this to be true.

"This finding reveals the deep divide in the thinking about what constitutes effective governance practices between board members who are in charge of overall company performance and those responsible for stopping data breaches and cyber attacks," the report said.

Board Not Informed of Incidents

The disparity between breaches that board members know about versus those that IT security staff have knowledge of hints at a troubling lack of communication between the board and infosec pros.   Over half of IT security professionals reported that their organisations had experienced a breach involving theft of high-value information in the past two years. 

That's compared with just 23 percent of board members who believed the same. Furthermore, in many cases, board members are unsure if their organizations have experienced security incidents. About one in five directors say they're uncertain if their organisation experienced a cyber attack that disrupted business or IT operations in the past few years and 18 percent said they were unsure if it experienced a breach involved high-value information.

Directors Don't Ask For Security Measurables

While board members recognise the importance of cyber security, 89 percent say they recognise the reputational and marketplace impact breaches or security failures pose, they're not asking for enough information from security departments. 

In fact, only 19 percent of boards use any kind of cybersecurity metrics to keep IT accountable for maintaining an acceptable level of risk for the organisation.

Dark Reading: http://ubm.io/1Hvwnz7

« Data Breaches Hurt 43% of Businesses Last Year
Five Greatest Cybersecurity Myths »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

GovCERT.HK

GovCERT.HK

GovCERT.HK is the Government Computer Emergency Response Team for Hong Kong.

RiskLens

RiskLens

RiskLens is a software company that specializes in the quantification of cybersecurity risk.

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity provide solutions for Secure Networks, Secure Communications, Network Analysis, and Endpoint Security.

Center for Identity - University of Texas at Austin

Center for Identity - University of Texas at Austin

The mission of the Center is to deliver the highest-quality discoveries, applications, education, and outreach for excellence in identity management, privacy, and security.

Mission Secure (MSi)

Mission Secure (MSi)

MSi is a specialized provider of next generation cyber defense solutions protecting control systems and critical physical assets in energy, transportation and defense.

Computing Technology Industry Association (CompTIA)

Computing Technology Industry Association (CompTIA)

CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy.

limes datentechnik

limes datentechnik

limes datentechnik is an authority in the fields of cryptography and data compression. The FLAM product family is an internationally accepted standard for efficient and safe handling of data.

Aujas Cybersecurity

Aujas Cybersecurity

Aujas has deep expertise and capabilities in Identity and Access Management, Risk Advisory, Security Verification, Security Engineering, & Managed Detection and Response services.

Cequence Security

Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection.

Illuma Labs

Illuma Labs

Illuma Labs delivers real-time voice authentication and fraud prevention solutions.

HiddenLayer

HiddenLayer

HiddenLayer is a provider of security solutions for machine learning algorithms, models and the data that power them.

MyKRIS Asia

MyKRIS Asia

MyKRIS specialise in providing and managing Internet network services and cyber security services to enterprises.

ECIT

ECIT

ECIT is your preferred provider of finance and IT services. We believe in the value of combining financial and IT services to streamline and improve the operation of your business.

Cipher Net Shield

Cipher Net Shield

Cipher Net Shield specializes in secure E-wallet solutions with a strong focus on blockchain and cybersecurity, prioritizing both transaction security and the recovery of lost capital.

Accompio

Accompio

Accompio offer comprehensive support in the digitalisation of your business processes.

Future Crime Research Foundation (FCRF)

Future Crime Research Foundation (FCRF)

FCRF is a Non-Profit NGO specializing in Research in Cyber Security, Digital Crime, Fraud Risk Management, Cyber Laws and Cyber Forensics.