Boards are getting more involved in cybersecurity, but is it enough?

Despite operating in a state of hyper vigilance regarding cybersecurity threats, board participation in such planning has is at only 45 percent, according to 10,000 executives surveyed by PwC.

An escalation in the frequency, severity and impact of cybersecurity attacks damaging corporate operations, finances and reputations is forcing boards of directors to take more active roles in their company's defensive posture. However, the level of participation in their companies' risk mitigation strategy remains lacking, according to new research from PwC.

Forty-five percent of 10,000 CEOs, CFOs, CIOs and other executives PwC polled said that their boards participated in corporate cybersecurity strategy, up from 42 percent when PwC conducted a similar survey for 2014, according to David Burg, PwC's global cybersecurity practice leader. But given the glut of cybersecurity attacks Burg says the numbers are lower than they should be. "It is surprising that this number isn't north of 75 percent,” says Burg, who published the data in a new report. “In a world of connected business ecosystems, you’re only as strong as your weakest link.”

Cyber attacks capture corporate attention

Emphasis on protecting corporate assets has risen dramatically in the wake of high-profile breaches at Target, Home Depot and other organizations. A major, targeted attack on Sony Pictures proved terrifying for many companies -- and heightened board-level interest -- as the attackers released embarrassing emails. Moreover, the frequency of attacks is accelerating: PwC survey respondents reported a 38 percent uptick in cyber-assaults from 2014. The result has business leaders and their boards rethinking their cybersecurity practices, including funneling $77 billion on corresponding tools and processes this year. That number will more than double to $170 billion by 2020, according to Gartner research.

[ Related: Boards are on high alert over security threats ]

Emerging digital technologies, including IP address-enabled devices under the Internet of Things banner, will widen the attack surface, forcing corporate boards to step up their participation in threat mitigation, Burg says. Some boards are influencing technology selection, process implementation and budgets. For example, board participation in technology spending grew 7 percent, to 37 percent from 2014 to 2015, which he views as partially responsible for the 24 percent boost in security tools. Reviews of privacy and security risks also grew 7 percent, to 32 percent from 25 percent a year ago.

pwc cyber

(Click for larger image.) Source: PwC

Stepping up the cyber defense

Meanwhile, with or without the board’s involvement, companies are taking several measures to better protect themselves beyond such obvious options as strong encryption.

Cloud services as a trusted security measure. Companies are investing heavily in cloud tools for data protection, privacy, network security, identity and access management, real-time monitoring and analytics, and advanced authentication. Sixty-nine percent of those surveyed say they were using a cloud-based security service, and 56 percent cited real-time monitoring and analytics as their preferred line of defense.

[ Related: CISOs facing boards need better business, communication skills ]

Advanced authentication: Many banks and credit card providers support Apple’s Touch ID technology, allowing consumers to access their mobile application by pressing a finger to the iPhone’s fingerprint scanner. USAA, a financial services and insurance firm that caters to military veterans and service members, uses facial and voice recognition and fingerprint scanning for customer access to its mobile apps. Starwood Hotels & Resorts allows preregistered hotel guests to bypass the check-in desk and tap their smartphone or Apple Watch to unlock hotel room doors. Ninety-one percent of companies say they are using some form of advanced authentication to replace the traditional password credentials.

[ Related: Do boards of directors actually care about cybersecurity? ]

Security frameworks: Security frameworks, such as ISO 27001 and the U.S. National Institute of Standards and Technology Cybersecurity Framework, are gaining acceptance among organizations seeking to establish a foundation on which to mitigate risks. Such frameworks help companies identify and prioritize risks, gauge the maturity of their cybersecurity practices and better communicate. The Canadian Imperial Bank of Commerce has developed a scorecard based on framework controls that it uses to measure the maturity of its security program, according to the PwC report. Burg says 91 percent of organizations have adopted a security framework to hedge against risks.

Strength in numbers: Most companies – 56 percent surveyed -- are partnering with one another, sharing threat intelligence with others as a collective defense. Most organizations say such collaboration allows them to share and receive more actionable information from industry peers, as well as Information Sharing and Analysis Centers (ISACs). Burg says information sharing got a boost earlier this year when President Barack Obama signed an executive order that encourages collaboration among public and private organizations through Information Sharing and Analysis Organizations (ISAOs) designed to be more flexible than ISACs.

“ISAOs will fill certain gaps that current groups do not address and ultimately play a valuable role in contributing to a national cybersecurity immune system,” says Burg. He says PwC is currently working with stakeholders from the White House, industry and academia to improve the ISAOs.

Join the CSO newsletter!

Error: Please check your email address.

More about AdvancedAppleClickGartnerHome DepotISOSonyTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place