Top executives and cybersecurity: a fickle relationship?

CISOs have more attention of top business execs now than ever before; is it here to stay?

For decades now the relationships between CISOs and their top executives have been a matter of touch and go. In the early 2000s, following 9/11 and a number of high profile worms such as Code Red and Nimda, cybersecurity jumped from a marginal, often ignored, topic to front and center in the boardroom.

However, as weeks and months went by, interest and the urgency around cybersecurity waned. It was ignited again in 2003, as more enterprises geared themselves toward becoming Sarbanes-Oxley compliant.

Since that time, interest in cybersecurity from top executives and the board has cycled up and down several times: a wave of high-profile attacks would make headlines, and boards of director interest in cybersecurity would perk, only to have interest fade once again as things settled down again.

Fortunately, this may be changing now as the amount of attention boards of directors are paying to cybersecurity is high and possibly growing. The reason is that now, because cyberattacks have remained high and there is a steady drumbeat of data breaches, cybersecurity should be on the top of the business priority list for some time to come.

Consider CSO’s recent 2015 U.S. State of Cybercrime Survey that found only one in four CISOs or CSOs make a security presentation to their board annually, while 30 percent of respondents in that survey said that their security executives make quarterly security presentations. That comes to roughly 55 percent of respondents who provided a presentation to their board once a year or more, while 28 percent of respondents said their security leaders never make presentations to their boards. Not surprisingly, the larger the company, the more likely it is to have board cybersecurity involvement while only 18 percent of small companies say their security leaders advise their board on security, 33 percent of large organizations do.

When it came to board and cybersecurity involvement, such involvement in the U.S. came in stronger than it is internationally. The Global State of Information Security Survey (GSISS) 2016 found that board involvement globally dropped to 45 percent of organizations. However, that’s a significant increase from last year’s GSISS survey, which found that boards participated in security budget (46 percent compared to 40 percent in 2015), overall security strategy (45 percent compared to 42 percent), security policies (41 percent compared to 36 percent) and security technologies (32 percent compared to 25 percent).

“Cyber security has gone from a Main Street and public perception and Wall Street and financial impact issue to a board room priority with C-level career risk,” says Doug Dooley, a board member of security analytics and forensics vendor Niara’s and venture capitalist at Venrock. “Every board member needs to have a point of view on handling cyber risks and threats to its business."

Doug Dooley, venture capitalist at Venrock

“As 'software eats the world' and digitization permeates every type of organization, so follows the threat vectors that hackers exploit. I believe the need for leaders to think through their cyber security posture and investment has to start at the highest levels of accountability,” Dooley adds.

“Board oversight is intended to keep executives focused on those things that are strategically important to an organization. As such, board involvement means that executives will see cybersecurity as one of the long-term strategic objectives they need to balance, and place value on it accordingly,” says Vikram Phatak, CEO of NSS Labs.

Few would doubt that now, but it has been true for decades, so why has the attention span by top execs and members of the board lengthened now? Many of those interviewed believe that in years past, aside from regulatory compliance and privacy risks, information security was viewed as a technology challenge that would be solved – rather than an ongoing adversarial battle with cybercriminals. “I suspect [many boards] thought it was a tech problem that would quickly go away instead of realizing it was a business risk that would go on for a very long time,” says Martin Fisher, IT security manager at Northside Hospital.

Will the board attention span be longer this time? Many think so. “I think the issues of cyber security are sitting at the board level and are there to stay. With the continued breaches we see that the era of ‘it can't/won't happen to us’ is over and board members understand it's a risk they have to monitor, just like all of the other large risks they handle,” says Fisher.

Join the CSO newsletter!

Error: Please check your email address.

Tags CSO Role

More about CSOWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place