A survey of 645 boards of directors conducted by PwC found nearly half (49%) still viewed cybersecurity as a challenge.
Matt Gorham, leader of the Cyber & Privacy Innovation Institute for PwC, said the survey, published this week, showed progress is being made in terms of awareness among board members of the cybersecurity issues that organizations face, but there is still much work to be done.
Overall, the survey found nearly three-quarters (64%) have increased the amount of time the board agenda devotes to cybersecurity, with 46% reporting they have spent time studying cybersecurity issues. Well over a third (38%) have consulted third-party experts. Just over a third (35%) have also increased the number of meetings they have with CISOs.
A full 87% said the pre-read materials and presentations for cybersecurity provided by management teams were effective. However, only about half have examined incident readiness plan testing results (56%), cybersecurity program maturity assessments (53%) or third-party risk assessments (50%).
With the Securities and Exchange Commission (SEC) proposing fundamental changes to the level of cybersecurity accountability of public companies, it’s apparent there is still work to be done in terms of the level of cybersecurity expertise brought to bear at the board level, noted Gorham.
Board members should be urging organizations to simplify their IT environments as much as possible to make them easier to secure, he added. In addition, cloud computing strategies should be evaluated to make sure cybersecurity best practices are being followed, noted Gorham.
Finally, boards should review the tools used to make sure the latest tactics and techniques being adopted by cybercriminals can be thwarted, he said. That’s especially critical as advances in artificial intelligence (AI) are rapidly made that, to varying degrees, benefit both attackers and defenders, added Gorham. In effect, organizations are now in a cybersecurity arms race.
The SEC stopped short of making directors personally responsible for cybersecurity, but it’s clear the Biden administration is committed to making regulations pertaining to cybersecurity more stringent. As such, boards will be required to evaluate the impact these regulations will have on the interests of shareholders.
Of course, it’s not likely that every member of a board is going to be a cybersecurity expert, but there should be at least one member capable of making an insightful assessment of an organization’s security practices. Cybersecurity is still often viewed as a cost to be limited rather than a business enabler. There’s also a natural tendency to overestimate the rewards of a potential new business opportunity while simultaneously underestimating the potential cybersecurity risks.
It’s not clear how much impact a board that is savvier about cybersecurity might have on the daily life of cybersecurity professionals, but there should, at the very least, be an honest assessment of the resources available. Every cybersecurity professional already knows the odds are stacked against them. They wish everyone else would appreciate that simple fact the next time a major breach occurs.
Recent Articles By Author