CISOs, corporate boards in wide disagreement on cyber resilience

Dive Brief:

• A wide gulf exists between perceptions of corporate board members and CISOs over the abilities of their companies to handle a cyberattack, according to a study by Proofpoint and Cybersecurity at MIT Sloan.
• Almost two-thirds of board members said their organizations are at risk of a material cyberattack in the next 12 months, according to the research. By contrast, less than half of CISOs said their organizations were at risk of such an attack. 
• There are also mixed perceptions regarding how aligned the board is with CISOs. More than two-thirds of board members said they see eye-to-eye with CISOs in their organizations, while only half of CISOs feel the same way about their board members.

Dive Insight:

The research comes at a critical juncture in the infosec world about the relationship between CISOs, the C-suite and boards of directors. 

Congress, federal agencies and a growing number of states are demanding robust and immediate disclosure of cybersecurity incidents following the 2020 nation-state attack against SolarWinds. A series of high-profile and disruptive ransomware incidents, most notably the May 2021 attack against Colonial Pipeline, have added to the tension.

Among those demands for regulatory oversight, the Securities and Exchange Commission in March proposed rapid disclosure — within four days — of material cybersecurity incidents. The agency also called for periodic updates regarding corporate security policies and oversight.

“Over time, cybersecurity has moved from being the sole purview of the CIO and CISO to something that is now discussed at the board level,” Lucia Milică, VP and global resident CISO at Proofpoint, said. The rise in attacks has taken a severe financial and reputational toll on numerous companies. 

“Board members are rightly prioritizing this and they do have a valuable role to play alongside the CISO in creating a more resilient, protected organization,” she said. 

The research follows a separate study from PwC last month showing corporations are taking additional steps to address cybersecurity, with added support from the C-suite and boardroom. 

“Boards are more engaged in cyber as their companies face increasing risks,” Matt Gorham, leader of PwC’s Cyber & Privacy Innovation Institute, said via email in September. “Corporate directors are willing to learn about cyber and devote time to it.” 

Board members and CISOs share some concerns about cyberattacks, each ranking business email compromise and cloud account compromise as major concerns, according to the Proofpoint study with MIT. However, CISOs ranked insider risk as their top concern, but board members place it much lower on the scale. 

Major disagreements exist about the consequences of an attack: Board members are most concerned about internal data being disclosed publicly, alongside reputational damage and loss of revenue. 

CISOs are most concerned about significant amounts of downtime, how an incident will disrupt operations and how an incident will impact business operations.

“CISOs and board members come from two different backgrounds, which is coloring their perception of risk,” Milică said. “Board members don’t sit as close as CISOs to security so they may lack the intricacies involved to truly understand the nature of the threat.”

However, Milica added, part of the perception gap may be the inability of CISOs to communicate cyber risk in a way that board members can understand. 

The study is based on responses from more than 600 board members, representing organizations from across the globe, with each organization having at least 5,000 employees. As part of the research, 50 board directors from a total of 12 different countries were interviewed, including the U.S., U.K. and Canada.