When it comes to cybersecurity, gap between IT, boardroom must be bridged

Most company directors have misguided sense of security about cyber exposures

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Cyber­se­cu­ri­ty is increas­ing­ly becom­ing a top­ic of dis­cus­sion in cor­po­rate board­rooms. But despite their grow­ing inter­est, board direc­tors lack both exper­tise and trust in their IT teams—according to a recent Ponemon Insti­tute study com­mis­sioned by Fidelis Cyber­se­cu­ri­ty.

Info­graph­ic: Board directors’s blind spots on security

A sig­nif­i­cant dis­con­nect exists between those respon­si­ble for governance—the boards—and those respon­si­ble for the dai­ly defense against cyber threats, accord­ing to the report, “Defin­ing the Gap: The Cyber­se­cu­ri­ty Gov­er­nance Study.”

Jim Jaeger, Fidelis chief cyber services strategist
Jim Jaeger, Fidelis chief cyber ser­vices strategist

Clear­ly, cyber­se­cu­ri­ty can’t be the respon­si­bil­i­ty of any one enti­ty in an orga­ni­za­tion, it’s a team ball­game,” says Jim Jaeger, Fidelis chief cyber ser­vices strate­gist who works reg­u­lar­ly both with boards and cyber­se­cu­ri­ty man­agers. “There needs to be an ongo­ing dia­logue between boards and IT secu­ri­ty professionals.”

Ponemon Insti­tute sur­veyed more than 650 board mem­bers and IT secu­ri­ty pro­fes­sion­als, most­ly CISOs, CIOs and CTOs. It found that 60 per­cent of board mem­bers feel their organization’s cyber­se­cu­ri­ty gov­er­nance prac­tices are effec­tive, com­pared to only 18 per­cent of IT professionals.

Almost 60 per­cent of IT pros sur­veyed also believed that their boards don’t under­stand cyber­se­cu­ri­ty risks—while 70 per­cent of board mem­bers believed the opposite.

The boards are not nec­es­sar­i­ly com­fort­able that they have the right exper­tise,” says Jaeger, a retired Air Force brigadier gen­er­al. “They need to be able to under­stand cyber risk from a high­er-lev­el perspective.”

The chal­lenge, he says, is that IT experts are used to think­ing in indus­try jar­gon instead of a lan­guage rel­e­vant to the directors.

We live in such an acronym world, we have to do a bet­ter job of putting it in con­text of risk and in con­text of busi­ness,” he says.

Grow­ing challenges

John Dick­son, an inter­na­tion­al­ly rec­og­nized secu­ri­ty expert who fre­quent­ly works with boards of direc­tors, notes that in the recent past, a sur­vey of this type would have had noth­ing to show.

John Dickson, Denim Group principal and security expert
John Dick­son, Den­im Group prin­ci­pal and secu­ri­ty expert

Two years ago … this was sim­ply an IT risk to be man­aged with oth­er IT risks. Now it’s more viewed as an exis­ten­tial threat to orga­ni­za­tions and not just an incon­ve­nience or data-loss risk,” says Dick­son, prin­ci­pal at Den­im Group Ltd. and for­mer mem­ber of the Air Force Com­put­er Emer­gency Response Team.

He says that more recent breach­es caus­ing busi­ness disruption—like Sony—are attract­ing the boards’ atten­tion. But, he adds, boards also are think­ing in terms of costs vs. risks.

The biggest pic­ture is about strik­ing a bal­ance between spend­ing the right amount of resources and man­ag­ing risks,” he says.

One chal­lenge is that IT tra­di­tion­al­ly has been an expense item and not a prof­it gen­er­a­tor, says John Prisco, pres­i­dent and CEO of Tri­um­fant, which pro­vides end­point pro­tec­tion technology.

From the pro­tec­tion stand­point, it’s going to become a nec­es­sary expense, but it will take some time and more large fall­out (from breach­es),” he says.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

Anoth­er chal­lenge is the abun­dance of tools avail­able, he says.

For so long, antivirus tools took care of every­thing, and now that’s not good enough,” he says.

Yet there’s a lot of mar­ket­ing hype around cyber­se­cu­ri­ty prod­ucts, and often it’s the best-mar­ket­ing ones that win, not the best ones.

Often, CISOs are spend­ing bud­gets on prod­ucts that are not that good,” he says.

Bridg­ing the gap

 Fidelis Cyber­se­cu­ri­ty, which pro­vides advanced threat defense and inci­dent response ser­vices, is fre­quent­ly called by orga­ni­za­tions after major breach­es, such as the Home Depot event. Jaeger says there has been an increased num­ber of inquiries from boards—and fre­quent­ly, the breach­es the com­pa­ny responds to have gone unde­tect­ed for months.

The board tends to not have a lot of con­fi­dence in the company’s abil­i­ty to mon­i­tor and detect net­work intru­sions,” he says.

A white paper titled “Bridg­ing the Gap,” issued by Fidelis in response to the Ponemon study, says it would take three things to address the dis­con­nect: increas­ing the board’s cyber­se­cu­ri­ty knowl­edge, giv­ing the board vis­i­bil­i­ty into the cyber­se­cu­ri­ty pos­ture of the orga­ni­za­tion, and increas­ing the trust between the board and the IT team.

The trust will grow once the first two ele­ments are in place, accord­ing to Jaeger. But he rec­om­mends going beyond that—putting in place things like inci­dent-response exer­cis­es so the boards and the CISOs are used to inter­act­ing as well as going through com­mon experiences.

The dia­logue between the two sides needs to be recur­ring, he says.

But it may take the cyber­se­cu­ri­ty experts in orga­ni­za­tions some time to get used to this type of role. Prisco notes that chief infor­ma­tion secu­ri­ty offi­cer is a rel­a­tive­ly new posi­tion and not many CISOs are com­fort­able in the boardroom.

It’s a mat­ter of hav­ing a CISO who can get the point across with­out … the jar­gon that makes most senior exec­u­tives’ eyes glaze over,” he says. “If you can tell the sto­ry and show it is affect­ing the bot­tom line, you have a bet­ter chance of get­ting the prop­er tools in place.”

More on cyber­se­cu­ri­ty and best practices:
Start­up takes cyber­se­cu­ri­ty out of IT depart­ment, into C-suite
Study finds C-Suite over­con­fi­dent about net­work security
How C-Suite it is: Exec­u­tives final­ly give cyber­se­cu­ri­ty its due
Net­work sys­tems must build in trust along with security