Do boards of directors actually care about cybersecurity?

Survey says business leaders probably don’t care as much about cybersecurity as they say they do

There’s no shortage of arguments that cybersecurity needs to be aligned with the needs of the business, or that security is now a “boardroom issue.” And it seems that a new report or study is issued every day that states that boards of directors are more involved with their organizations’ cybersecurity efforts than ever before.

That’s the established narrative, but is it so? Our recent  2015 US State of Cybercrime Survey of more than 500 respondents, including US business executives, law enforcement services, and government agencies, throws a bit of cold water on those findings

The cybercrime survey found that organizations come in three variants when it comes to board alignment: horrendous, adequate, and excellent. First the horrendous and adequate. Nearly a third, 28 percent, of respondents said their security leaders make no presentations at all to the board, while one-in-four, or 26 percent of CISOs, or their organization’s equivalent, provides an annual presentation to their board of directors.

That leaves about 30 percent of respondents who said their senior security executives stay in regular contact with the board by providing quarterly cybersecurity presentations.

Not surprisingly, CISOs from larger organizations are more likely to make a quarterly board presentation than smaller organizations. One-third of survey respondents at small enterprises reported that they don’t ever advise the board on cybersecurity efforts. Still, a shockingly high 18 percent of security leaders at larger enterprises don’t either.

None of this is especially good news for cybersecurity. Many security experts would agree that boards of directors must be part of the information security decision making chain, and that cybersecurity should be viewed as a corporate-wide risk – not just a matter of IT risk to be dealt with by the IT department. Unfortunately, that’s precisely how many organizations view cybersecurity.

In fact, only 42 percent of respondents viewed cybersecurity as a corporate governance issue, while 42 percent do not. When it comes to the board relationship with cybersecurity, the results are divided: 30 percent on one end state that no board members or committees are actively engaged in cybersecurity, while at the other end of the spectrum, we have 25 percent of boards that are involved.

Unfortunately, at many organizations, security feels the disconnect. While business leaders talk about how important cybersecurity is, security laments that it’s not getting the tools and the resources needed to adequately secure the organization.

Jay Leek, SVP and chief information security officer at Blackstone, has spent considerable time talking to boards of directors about security.

As a global investment and advisory firm, Blackstone invests in many businesses that seeks cybersecurity guidance. In the capacity of CISO, Leek speaks often with the Blackstone board and the boards of other businesses within Blackstone’s portfolio.

Leek says that communicating with the board isn’t rocket science and that boards need a realistic understanding of the state of cybersecurity today.

“A lot of the time, I’m explaining the nature of the challenge to boards of directors,” says Leek.

“I’m telling them that it’s not possible to stop everything and that some threats are going to get in, and why it’s so important to be able to respond effectively. It’s very important just to get boards to understand that,” he says.

Next month, Leek is making a presentation to a board of directors at a Blackstone company and one of his primary goals is to keep the message straightforward.

“The presentation is four slides, two of which explain the realistic state of security, so they can understand and wrap their heads around the nature and magnitude of the problem before I try to explain anything about what they need to do,” he says.

“I believe we as security professionals, myself included, have done our industry such a disservice by making what we do so complicated to others. We have crazy frameworks and hundreds of different controls and best practices among other things. We have 1,200 vendors in the space and argue that we need all these crazy, magical things so we can be able to hopefully secure ourselves,” he says. “We really don’t, and I’m a big believer in communication with the board and simplifying how we communicate.”

Sounds like a great way to better align cybersecurity with business leaders. Now, if only more would get that message.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts