For decades now the relationships between CISOs and their top executives have been a matter of touch and go. In the early 2000s, following 9/11 and a number of high profile worms such as Code Red and Nimda, cybersecurity jumped from a marginal, often ignored, topic to front and center in the boardroom.
However, as weeks and months went by, interest and the urgency around cybersecurity waned. It was ignited again in 2003, as more enterprises geared themselves toward becoming Sarbanes-Oxley compliant.
Since that time, interest in cybersecurity from top executives and the board has cycled up and down several times: a wave of high-profile attacks would make headlines, and boards of director interest in cybersecurity would perk, only to have interest fade once again as things settled down again.
Fortunately, this may be changing now as the amount of attention boards of directors are paying to cybersecurity is high and possibly growing. The reason is that now, because cyberattacks have remained high and there is a steady drumbeat of data breaches, cybersecurity should be on the top of the business priority list for some time to come.
Consider CSO’s recent 2015 U.S. State of Cybercrime Survey that found only one in four CISOs or CSOs make a security presentation to their board annually, while 30 percent of respondents in that survey said that their security executives make quarterly security presentations. That comes to roughly 55 percent of respondents who provided a presentation to their board once a year or more, while 28 percent of respondents said their security leaders never make presentations to their boards. Not surprisingly, the larger the company, the more likely it is to have board cybersecurity involvement while only 18 percent of small companies say their security leaders advise their board on security, 33 percent of large organizations do.
When it came to board and cybersecurity involvement, such involvement in the U.S. came in stronger than it is internationally. The Global State of Information Security Survey (GSISS) 2016 found that board involvement globally dropped to 45 percent of organizations. However, that’s a significant increase from last year’s GSISS survey, which found that boards participated in security budget (46 percent compared to 40 percent in 2015), overall security strategy (45 percent compared to 42 percent), security policies (41 percent compared to 36 percent) and security technologies (32 percent compared to 25 percent).
“Cyber security has gone from a Main Street and public perception and Wall Street and financial impact issue to a board room priority with C-level career risk,” says Doug Dooley, a board member of security analytics and forensics vendor Niara’s and venture capitalist at Venrock. “Every board member needs to have a point of view on handling cyber risks and threats to its business."
Doug Dooley, venture capitalist at Venrock
“As 'software eats the world' and digitization permeates every type of organization, so follows the threat vectors that hackers exploit. I believe the need for leaders to think through their cyber security posture and investment has to start at the highest levels of accountability,” Dooley adds.
“Board oversight is intended to keep executives focused on those things that are strategically important to an organization. As such, board involvement means that executives will see cybersecurity as one of the long-term strategic objectives they need to balance, and place value on it accordingly,” says Vikram Phatak, CEO of NSS Labs.
Few would doubt that now, but it has been true for decades, so why has the attention span by top execs and members of the board lengthened now? Many of those interviewed believe that in years past, aside from regulatory compliance and privacy risks, information security was viewed as a technology challenge that would be solved – rather than an ongoing adversarial battle with cybercriminals. “I suspect [many boards] thought it was a tech problem that would quickly go away instead of realizing it was a business risk that would go on for a very long time,” says Martin Fisher, IT security manager at Northside Hospital.
Will the board attention span be longer this time? Many think so. “I think the issues of cyber security are sitting at the board level and are there to stay. With the continued breaches we see that the era of ‘it can't/won't happen to us’ is over and board members understand it's a risk they have to monitor, just like all of the other large risks they handle,” says Fisher.