Board-level Cyber Literacy Is Low, Discomfort High

Uploaded on 2017-03-29 in NEWS-Cybersecurity News, FREE TO VIEW

If business leaders and directors continue to view cybersecurity as mainly a matter for the IT department, they will leave their companies exposed to significant risks.

The heightened level of attention to the proliferation of cyber-attacks has yielded many outcomes, but none more notable than the recognition that responsibility for cyber risks no longer lies solely within the realm of IT. 

It now sits squarely in the domain of the C-suite and business leaders, with responsibility for oversight of management’s performance in cyber-risk identification, defense, mitigation, and response resting with the corporate board of directors.

The US National Association of Corporate Directors (NACD) has been a leading voice advocating for board-level cyber risk oversight since the initial release of the NACD Director's Handbook on Cyber-Risk Oversight in 2014. 

The handbook was the first non-government resource to be featured on the US Department of Homeland Security’s US-CERT C3 Voluntary Program website. Along with providing guidance for directors in companies of all sizes and sectors, the handbook helps boards understand management's responsibilities around cyber preparedness and, more pointedly, provides questions directors should be asking of the senior executive team. 

Board-level Cyber Literacy is Low, Discomfort High

NACD's most recent annual governance survey of public-company directors highlights the ongoing discomfort board members experience when it comes to cyber literacy.

According to the survey, only 19% of directors believe they have a high-level understanding of the risks associated with cyber-security, and 59% find it difficult to oversee those risks. 

These statistics speak to a larger problem: cyber-security needs to be prioritised and approached holistically as an organisation. The reason for this is simple. Cyber risks have an impact well beyond technology: they affect new business plans, product and service offerings, mergers and acquisitions, supply chain and purchasing decisions, major capital investment decisions such as facility expansions and upgrades, R&D processes, and HR policies. 

For that reason, cyber-security should be woven into boardroom discussions on all of these topics. If business leaders and directors continue to view cybersecurity as mainly a matter for the IT department, they will leave their companies, and, in turn, the U.S. economy, exposed to significant risks.

As part of the effort to strengthen investor trust and public confidence in board-level cyber risk oversight practices, NACD has created the first credentialed course dedicated to board member cyber literacy. 

The program is a first-of-its-kind online course that goes in-depth on issues such as cyber-security leadership, effective security structure, and the role of the board. Leaders who complete the course and pass the exam earn the CERT Certificate in Cybersecurity Oversight, issued by Carnegie Mellon.

Securities and Exchange Commission leaders have called cyber-security "the biggest risk to the financial system," also noting that "boards that choose to ignore, or minimise the importance of cyber-security oversight responsibility, do so at their own peril."

A common saying in the security world is that "there are only two types of organisations: those that have experienced a breach, and those who aren't aware that they've been breached." 

While no organisation is 100% protected, the board plays an important role in assessing a company's cyber preparedness. The intent of the NACD Cyber-Risk Oversight Program is not to turn board members into technologists; it's to ensure the board is aligned with management in setting the company’s cyber risk profile, and maintaining the organisation's cyber resiliency. 

Cyber Risk Oversight

In the past 20 years, the nature of corporate asset value has changed significantly, shifting away from the physical and to- ward the virtual. One recent study found that 80 percent of the total value of the Fortune 500 now consists of intellectual property (IP) and other intangibles. 

A rapidly evolving Cyber-Threat landscape 

As recently as a few years ago, cyber-attacks were largely the province of hackers and a few highly sophisticated individuals. While problematic, many corporations could chalk up these events as simply a frustrating cost of doing business. 

Today, corporations are subject to attackers who are part of ultra-sophisticated teams that deploy increasingly targeted malware against systems and individuals in multi-staged, stealthy attacks. ese attacks, sometimes referred to as APTs (for advanced persistent threats), were first deployed against government entities and defense contractors. More recently, they have migrated throughout the economy, meaning that virtually any company is at risk.

One of the defining characteristics of these attacks is that they can penetrate virtually all of a company’s perimeter defense systems, such as firewalls or intrusion detection systems: intruders look at multiple avenues to exploit all layers of security vulnerabilities until they achieve their goal. 

In other words, if a sophisticated attacker targets a company’s systems, they will almost certainly breach them. 

Dark Reading:      IIA

Directors Report January 2017. Cyber Security Checklist For Management (£)

Cyber Security Myths for SMEs (£):

 

« Drones For Rail & Road Tunnel Inspections
WikiLeaks Dump Shines Light On US Intelligence’s Zero-Day Policy »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

National Cyber Security Centre (NCSC) - United Kingdom

National Cyber Security Centre (NCSC) - United Kingdom

The NCSC acts as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents.

Emerson Electric Co

Emerson Electric Co

Emerson provides industrial automation systems and associated cybersecurity solutions to protect critical process control systems from cyber attack.

Safe Security

Safe Security

Safe Security (formerly Lucideus) provides Cyber risk assessment services and platforms to multiple Fortune 500 companies and governments across the globe.

Cingo Solutions

Cingo Solutions

Cingo Solutions is a Managed Detection & Response company providing specialized data security services.

X-Ways Software Technology

X-Ways Software Technology

X-Ways provide software for computer forensics, electronic discovery, data recovery, low-level data processing, and IT security.

Cohesity

Cohesity

Cohesity radically simplifies the way businesses back up, manage, protect, and extract value from their data—in the data center, at the edge, and in the cloud.

Fortiphyd Logic

Fortiphyd Logic

Fortiphyd Logic equips operators of the power grid, oil & gas, and other critical infrastructure with the tools and training they need to defend their industrial networks from advanced cyberattacks.

Axio Global

Axio Global

Axio is a leading cyber risk management SaaS company. Our Axio360 platform gives companies visibility to their cyber risk, and enables them to prioritize investments to protect their business.

Conquest Cyber

Conquest Cyber

Conquest Cyber builds adaptive risk management programs where innovation is most needed – within defense, intelligence, federal civilian agencies and the industrial base that supports them.

Automation Workz

Automation Workz

Automation Workz has been ranked as a top 10 Cybersecurity Bootcamp in the US by Career Karma.

Technology Innovation Institute (TII)

Technology Innovation Institute (TII)

TII is a UAE-based research center that aims to lead global advances in AI, robotics, quantum computing, cryptography and secure communications and more.

Binarii Labs

Binarii Labs

Binarii are focused on helping enterprises to design and deploy SaaS solutions that utilise DLT (Digital Ledger Technology) effectively, efficiently and sensibly.

National Cyber Security Agency (NCSA) - Thailand

National Cyber Security Agency (NCSA) - Thailand

National Cyber Security Agency of Thailand is responsible for coordinating and implementing national cybersecurity policies, strategies, and initiatives.

Pvotal Technologies

Pvotal Technologies

Pvotal Technologies engineer complex, automated processes aligned with best AIOps, BizDevOps, DevSecOps, CloudOps, and ITOps practices.

Blind Insight

Blind Insight

Field-level searchable encryption plus fine-grained programmable access controls. All wrapped neatly in developer-friendly APIs and SDKs. Data protection perfection.

Vivid Computing Solutions

Vivid Computing Solutions

At Vivid Computing Solutions we provide comprehensive solutions that keep your business running efficiently and securely.