Signs a Board Thinks Security is Better than It Is.

Uploaded on 2015-12-07 in TECHNOLOGY--Resilience, FREE TO VIEW

While most boards of directors today consider cybersecurity risks a top concern for the companies they help govern, their true awareness of the threats may not be as good as they think, according to recent results of a Ponemon Institute survey that compared directors' perceptions to IT security executives. 

The study showed that there's a gap between how well the boards believe their charges are doing with security and the perception by security personnel in the trenches working to protect company assets. Here are some indications from the survey that boards of directors may underestimate the cybersecurity risks facing their organisations.

Even though almost three-quarters of directors report that they're charged with overseeing risk assessments and audits at their companies, they may not have the baseline knowledge necessary to really decipher information and capably lead based on these assessments. 

The survey showed that only 33 percent of board members consider themselves knowledgeable or very knowledgeable about cybersecurity. It's not surprising, then that while 70 percent of board members say they understand the security risks their organizations face, just 43 percent of IT security personnel believe their boards truly understand the cyber risk landscape.

Overconfidence Endemic To Boards

The lack of knowledge allows many directors to maintain somewhat Pollyanna-ish views about their organisation's security readiness. Approximately 59 percent of board members rate their cybersecurity governance practices as very effective. At the same time, only 18 percent of security pros also believe this to be true.

"This finding reveals the deep divide in the thinking about what constitutes effective governance practices between board members who are in charge of overall company performance and those responsible for stopping data breaches and cyber attacks," the report said.

Board Not Informed of Incidents

The disparity between breaches that board members know about versus those that IT security staff have knowledge of hints at a troubling lack of communication between the board and infosec pros.   Over half of IT security professionals reported that their organisations had experienced a breach involving theft of high-value information in the past two years. 

That's compared with just 23 percent of board members who believed the same. Furthermore, in many cases, board members are unsure if their organizations have experienced security incidents. About one in five directors say they're uncertain if their organisation experienced a cyber attack that disrupted business or IT operations in the past few years and 18 percent said they were unsure if it experienced a breach involved high-value information.

Directors Don't Ask For Security Measurables

While board members recognise the importance of cyber security, 89 percent say they recognise the reputational and marketplace impact breaches or security failures pose, they're not asking for enough information from security departments. 

In fact, only 19 percent of boards use any kind of cybersecurity metrics to keep IT accountable for maintaining an acceptable level of risk for the organisation.

Dark Reading: http://ubm.io/1Hvwnz7

« Data Breaches Hurt 43% of Businesses Last Year
Five Greatest Cybersecurity Myths »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Phoenix TS

Phoenix TS

Phoenix TS offers world-class management, computer, and IT security certification training courses.

Delphix

Delphix

Delphix is the industry leader for DevOps test data management.

Lastline

Lastline

Lastline is the leader in advanced malware protection.

Snow Software

Snow Software

Snow Software is changing the way organizations think about their technology investments, empowering IT and business leaders to drive transformation with precision and agility.

Advenica

Advenica

Advenica develops, manufactures and sells innovative cybersecurity solutions for encryption and secure information exchange.

Gatewatcher

Gatewatcher

Gatewatcher is a digital breach detection platform targeting crafted attacks and protecting organizations against advanced cyber threats.

AllClear ID

AllClear ID

AllClear ID provides products and services that help protect people and their personal information from threats related to identity theft.

VerifyMe

VerifyMe

VerifyMe is a global technology solutions company delivering brand protection offerings to mitigate counterfeiting, product diversion, and illicit trade.

Wireless Logic

Wireless Logic

Wireless Logic delivers a range of secure and resilient value-added M2M/IoT managed services that empower remote devices to communicate cost-effectively, two ways.

Romanian Association for Electronic Industry & Software (ARIES)

Romanian Association for Electronic Industry & Software (ARIES)

ARIES is the Romanian Association for Electronic Industry and Software, the biggest and most influental organization created for the IT&C industry in Romania.

Rentalworks

Rentalworks

Rentalworks is a leading provider of Internet-of-Things (IoT) Asset Lifecycle Management Services including secure data erasure and disposal.

Duality Technologies

Duality Technologies

Duality Technologies combine Advanced Cryptography with Data Science to deliver High-Performance Privacy-Protecting Computing to Regulated Industries.

Antares NetlogiX

Antares NetlogiX

Antares Netlogix are a leading Austrian service provider for IT security, critical infrastructures and managed security services.

Mainstream Technologies

Mainstream Technologies

Mainstream Technologies is an information technology services firm specializing in custom software development, managed IT services, cybersecurity services and hosting.

Secora Consulting

Secora Consulting

Secora Consulting is a professional services company specialising in tailored cybersecurity assessments and cyber advisory services.

XBOW

XBOW

XBOW brings AI to offensive security, augmenting the work of bug hunters and security researchers.