Company Boards Need To Get A Grip.

Major cyberattacks against organisations of all sizes seem to happen almost weekly. Despite the scale and potential harm from such attacks, there's wide recognition that corporate leaders, especially boards of directors, aren't taking the necessary actions to defend their companies against such attacks.

It's not just a problem of finding the right cyber-defense tools and services, but also one of management awareness and security acumen at the highest level, namely corporate boards.

"Our country and its businesses and government agencies of all sizes are under attack from a variety of aggressive adversaries and we are generally unprepared to manage and fend off these threats," said Gartner analyst Avivah Litan, a longtime cybersecurity consultant to many organisations.

"Some organisations do a better job than others, but those efforts are almost always led by CIOs, CISOs or business line managers and not by corporate boards, CEOs and executive management throughout government and the private sector," Litan added.

“Unless senior executives, corporate boards and other senior stakeholders get their act together, the threat actors will continue to win.” Avivah Litan, Gartner cybersecurity analyst

Litan said what's needed is a national response and cyber protection plan, but said she fears that the federal government is "way too fragmented and politicised to make any real progress toward this goal."

Threats against nationwide infrastructure, including the electricity grid, are "enormously serious," she added. "Unless senior executives, corporate boards and other senior stakeholders get their act together, the threat actors will continue to win. I'm not sure how many more wake-up calls we need in this country."

Litan's worries seem to have reached some quarters of the corporate governance community. The National Association of Corporate Directors (NACD) recently released a survey of more than 600 corporate board directors and professionals that found only 19% believe their boards have a high level of understanding of cybersecurity risks. That's an improvement from 11% in a similar poll conducted a year earlier.

The survey also found that 59% of respondents find it challenging to oversee cyber risk. The nonprofit NACD, which has 17,000 members, is working with security awareness firm Ridge Global and Carnegie Mellon University to create a Cyber-Risk Oversight program to educate corporate directors about the systemic risks of cyberattacks.

Litan said such education is important, but she also supports state and federal laws to require organisations to report cyber-attacks so that customers and partners will know to change passwords and make other adjustments to protect sensitive data.

"Having a requirement to disclose is a great motivator to increase security to prevent future attacks," Litan said. "No one wants their names in the news. That's what corporate directors are most worried about, in fact."

A majority of states have data security breach notification laws, but so far there's no nationwide provision. California first enacted its notification law in 2003, and other states followed suit.

At the federal level, a number of US senators have backed breach notification laws, but no bills have passed congressional muster. President Barack Obama proposed such legislation in 2015. With the January inauguration of Donald Trump as the next US president, it remains to be seen whether a federal breach notification law will take effect in the next four years, or longer.

When Yahoo disclosed in September 2015 a separate hack dating back to 2014, US Sen. Mark Warner, D-Va., renewed calls for bipartisan legislation to create a uniform data breach notification standard and co-founded the bipartisan Senate Cybersecurity Caucus. "Action from Congress to create a uniform data breach notification standard ... is long overdue," Warner said at the time.

One analyst, Jack Gold of J. Gold Associates, questioned whether a national breach notification law would be effective. "There are disclosure laws in many states and there are some government regulations that require disclosure, but I'm not sure it has any effect if companies lie about a hack or don't disclose it," he said.

Techworld:                      Cyber Security is Now Business Critical (£):
 

« Digital Forensics, Incident Response & Attribution
Virtual Reality Is Getting Real In 2017 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

iTrinegy

iTrinegy

iTrinegy is a world leader in Application Risk Management offering solutions to mitigate all networked application deployment risks

Foregenix

Foregenix

Foregenix are global specialists in Digital Forensics and information security including Penetration testing and Website Security.

Secure Innovations

Secure Innovations

Secure Innovations is a cybersecurity firm dedicated to providing top-tier cyber security solutions for the Defense and the Intelligence Community.

adaware

adaware

adaware is an award-winning security and privacy software provider, empowering users to connect with confidence.

Gulf Computer Services Co (GCSC)

Gulf Computer Services Co (GCSC)

Gulf Computer Services is a major player in the field of networking & Communication solutions for emerging industries such as Internet Services and Information Technology in Saudi Arabia.

Cortado Mobile Solutions

Cortado Mobile Solutions

Cortado Mobile Solutions creates enterprise mobility and file sharing solutions for companies, teams and freelancers.

ES2

ES2

ES2 is a consulting organisation specialising in Enterprise Security and Solutions Services.

Crypto International

Crypto International

Crypto International offers comprehensive services for the operation of our customers’ IT and communication infrastructure, with a focus on cybersecurity and encryption solutions.

Axur

Axur

Discover and eliminate digital fraud and risks on the web. Utilize Axur’s entire AI potential, along with thousands of bots dispersed throughout the surface web as well as the deep and dark web.

SnapAttack

SnapAttack

SnapAttack is a collaborative platform that empowers your security team to stay ahead of threats, create robust behavioral analytics for your existing tools, and prove your program's effectiveness.

TotalAV

TotalAV

TotalAV Antivirus is a free-to-use app packed with all the essential features to find and remove malware, keeping you safe.

Quartz Network

Quartz Network

Quartz Network is a curated community for change-makers, up-and-comers, and professionals who are ready to grow, adapt, and thrive.

SeeMetrics

SeeMetrics

SeeMetrics is an automated cybersecurity performance management platform that integrates security data and business objectives into a simple interface.

Boecore

Boecore

Boecore is an aerospace and defense engineering company that specializes in software solutions, systems engineering, cybersecurity, enterprise networks, and mission operations.

Aegis Cyber Defense Systems

Aegis Cyber Defense Systems

AEGIS is a powerful cybersecurity tool that can help protect your devices and networks from cyber threats, and increase performance.

Paramount Defenses

Paramount Defenses

Paramount Defenses have unrivaled capability in two of the most critical areas in cyber security today – Active Directory Security and Privileged Access.