Directors of U.S. businesses are pretty confident they can understand corporate security risks, but corporate security pros are not so sure their boards really get it, according to a survey of both board members and C-level security executives.
While 70% of board members say they understand the risks, only 43% of hired corporate security professionals agree, according to a Ponemon Institute study polling 245 board members and 409 IT security pros that was sponsored by Fidelis Cybersecurity.
Based on this finding the study concludes that, "more communication between the board and the IT function is sorely needed."
There are other gaps between what board members think and what CIOs, CSOs and CISOs think. For example, 59% of board members say they believe their governance of cybersecurity practices is effective; only 18% of IT pros agree.
In ranking that effectiveness, boards, on average, give themselves an 8.1 on a scale of 10 while the IT pros give them a 6.2, the study says.
IT pros should brief their boards regularly on attacks and breaches the company has suffered, the report recommends. Doing so may actually protect companies from falling afoul of regulations and laws that oversee corporate cyber security.
Asked whether their organizations suffered data breaches that resulted in lost or stolen records, 59% of board members said yes vs. 71% of security pros, which may reveal a lack of effective reporting to the boards by their hired IT pros.
The gap is even larger for breaches involving the theft of intellectual property where 23% of board members thought their firm's intellectual property had been breached while 54% of IT respondents thought so. "Board members are often in the dark about data breaches and security incidents involving the theft of high value information," the report says.
Most board members (89%) say they recognize that security failures or breaches can hurt both the reputation of the company and its market value, and 64% say they rely on communication from executives to keep them informed about threats, vulnerability and risks.
"This indicates that the board is not communicating its attitudes about cybersecurity well to IT security professionals, while the IT security professionals are not adequately communicating information about cybersecurity risks to the board," the report says.
There is a rift between what cyber events directors and security pros consider most worrisome. The biggest fear for board members (43%) is breaches that result in theft of intellectual property. For the security execs (33%) it's attacks that significantly disrupts business or IT operations.