Company Boards Need To Get A Grip.

Major cyberattacks against organisations of all sizes seem to happen almost weekly. Despite the scale and potential harm from such attacks, there's wide recognition that corporate leaders, especially boards of directors, aren't taking the necessary actions to defend their companies against such attacks.

It's not just a problem of finding the right cyber-defense tools and services, but also one of management awareness and security acumen at the highest level, namely corporate boards.

"Our country and its businesses and government agencies of all sizes are under attack from a variety of aggressive adversaries and we are generally unprepared to manage and fend off these threats," said Gartner analyst Avivah Litan, a longtime cybersecurity consultant to many organisations.

"Some organisations do a better job than others, but those efforts are almost always led by CIOs, CISOs or business line managers and not by corporate boards, CEOs and executive management throughout government and the private sector," Litan added.

“Unless senior executives, corporate boards and other senior stakeholders get their act together, the threat actors will continue to win.” Avivah Litan, Gartner cybersecurity analyst

Litan said what's needed is a national response and cyber protection plan, but said she fears that the federal government is "way too fragmented and politicised to make any real progress toward this goal."

Threats against nationwide infrastructure, including the electricity grid, are "enormously serious," she added. "Unless senior executives, corporate boards and other senior stakeholders get their act together, the threat actors will continue to win. I'm not sure how many more wake-up calls we need in this country."

Litan's worries seem to have reached some quarters of the corporate governance community. The National Association of Corporate Directors (NACD) recently released a survey of more than 600 corporate board directors and professionals that found only 19% believe their boards have a high level of understanding of cybersecurity risks. That's an improvement from 11% in a similar poll conducted a year earlier.

The survey also found that 59% of respondents find it challenging to oversee cyber risk. The nonprofit NACD, which has 17,000 members, is working with security awareness firm Ridge Global and Carnegie Mellon University to create a Cyber-Risk Oversight program to educate corporate directors about the systemic risks of cyberattacks.

Litan said such education is important, but she also supports state and federal laws to require organisations to report cyber-attacks so that customers and partners will know to change passwords and make other adjustments to protect sensitive data.

"Having a requirement to disclose is a great motivator to increase security to prevent future attacks," Litan said. "No one wants their names in the news. That's what corporate directors are most worried about, in fact."

A majority of states have data security breach notification laws, but so far there's no nationwide provision. California first enacted its notification law in 2003, and other states followed suit.

At the federal level, a number of US senators have backed breach notification laws, but no bills have passed congressional muster. President Barack Obama proposed such legislation in 2015. With the January inauguration of Donald Trump as the next US president, it remains to be seen whether a federal breach notification law will take effect in the next four years, or longer.

When Yahoo disclosed in September 2015 a separate hack dating back to 2014, US Sen. Mark Warner, D-Va., renewed calls for bipartisan legislation to create a uniform data breach notification standard and co-founded the bipartisan Senate Cybersecurity Caucus. "Action from Congress to create a uniform data breach notification standard ... is long overdue," Warner said at the time.

One analyst, Jack Gold of J. Gold Associates, questioned whether a national breach notification law would be effective. "There are disclosure laws in many states and there are some government regulations that require disclosure, but I'm not sure it has any effect if companies lie about a hack or don't disclose it," he said.

Techworld:                      Cyber Security is Now Business Critical (£):
 

« Digital Forensics, Incident Response & Attribution
Virtual Reality Is Getting Real In 2017 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Globalscape

Globalscape

Globalscape is a leader in secure data exchange solutions.

Professional Information Security Association (PISA)

Professional Information Security Association (PISA)

PISA is an independent and not-for-profit organization for information security professionals, with the primary objective of promoting information security awareness and best practice.

Forcepoint

Forcepoint

Forcepoint provide a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies of managing multiple point security products.

Integrity360

Integrity360

Integrity360 provide fully managed IT security services as well as security testing, integration, GRC and incident handling services.

edgescan

edgescan

edgescan is a cloud-based continuous vulnerability management and penetration testing solution.

Claroty

Claroty

Claroty was conceived to secure and optimize OT networks that run the world’s most critical infrastructures.

Sentia

Sentia

Sentia is an IT and infrastructure firm, with focus on Outsourcing, IT operation and management, Hosting, Co-location, Network, and IT security.

Cyber Security Research Centre - University of Cardiff

Cyber Security Research Centre - University of Cardiff

Cardiff University's Centre for Cyber Security Research is a leading UK academic research unit for cyber security analytics.

Digiserve

Digiserve

Digiserve by Telkom Indonesia is an end-to-end managed solutions provider committed to empowering enterprises in Indonesia.

IBLISS Digital Security

IBLISS Digital Security

How cyber-resilient is your business now? We help companies to continuously answer this never-ending C-level question.

ITonlinelearning

ITonlinelearning

ITonlinelearning specialises in providing professional certification courses to help aspiring and seasoned IT professionals develop their careers.

QuillAudits

QuillAudits

QuillAudits offers advanced Ethereum, EOS, TRON smart contract audit, blockchain protocol security and formal verification to ensure your platform’s integrity.

Secure Digital Solutions (SDS)

Secure Digital Solutions (SDS)

Secure Digital Solutions is a leading consulting firm in the business of information security providing cyber security program strategy, enterprise risk and compliance, and data privacy.

Gatefy

Gatefy

Getfy is a cybersecurity company specialized in artificial intelligence and machine learning. We work to solve challenging issues, especially those involving email security.

WheelHouse IT

WheelHouse IT

WheelHouse IT secures, manages, and advances businesses with innovative, cost-effective IT solutions.

MIND

MIND

MIND is the first-ever data security platform that puts data loss prevention and insider risk management programs on autopilot, so you can automatically identify, detect and prevent data leaks.