When it comes to cybersecurity, gap between IT, boardroom must be bridged
Most company directors have misguided sense of security about cyber exposures
By Rodika Tollefson, ThirdCertainty
Cybersecurity is increasingly becoming a topic of discussion in corporate boardrooms. But despite their growing interest, board directors lack both expertise and trust in their IT teams—according to a recent Ponemon Institute study commissioned by Fidelis Cybersecurity.
Infographic: Board directors’s blind spots on security
A significant disconnect exists between those responsible for governance—the boards—and those responsible for the daily defense against cyber threats, according to the report, “Defining the Gap: The Cybersecurity Governance Study.”
“Clearly, cybersecurity can’t be the responsibility of any one entity in an organization, it’s a team ballgame,” says Jim Jaeger, Fidelis chief cyber services strategist who works regularly both with boards and cybersecurity managers. “There needs to be an ongoing dialogue between boards and IT security professionals.”
Ponemon Institute surveyed more than 650 board members and IT security professionals, mostly CISOs, CIOs and CTOs. It found that 60 percent of board members feel their organization’s cybersecurity governance practices are effective, compared to only 18 percent of IT professionals.
Almost 60 percent of IT pros surveyed also believed that their boards don’t understand cybersecurity risks—while 70 percent of board members believed the opposite.
“The boards are not necessarily comfortable that they have the right expertise,” says Jaeger, a retired Air Force brigadier general. “They need to be able to understand cyber risk from a higher-level perspective.”
The challenge, he says, is that IT experts are used to thinking in industry jargon instead of a language relevant to the directors.
“We live in such an acronym world, we have to do a better job of putting it in context of risk and in context of business,” he says.
John Dickson, an internationally recognized security expert who frequently works with boards of directors, notes that in the recent past, a survey of this type would have had nothing to show.
“Two years ago … this was simply an IT risk to be managed with other IT risks. Now it’s more viewed as an existential threat to organizations and not just an inconvenience or data-loss risk,” says Dickson, principal at Denim Group Ltd. and former member of the Air Force Computer Emergency Response Team.
He says that more recent breaches causing business disruption—like Sony—are attracting the boards’ attention. But, he adds, boards also are thinking in terms of costs vs. risks.
“The biggest picture is about striking a balance between spending the right amount of resources and managing risks,” he says.
One challenge is that IT traditionally has been an expense item and not a profit generator, says John Prisco, president and CEO of Triumfant, which provides endpoint protection technology.
“From the protection standpoint, it’s going to become a necessary expense, but it will take some time and more large fallout (from breaches),” he says.
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
Another challenge is the abundance of tools available, he says.
“For so long, antivirus tools took care of everything, and now that’s not good enough,” he says.
Yet there’s a lot of marketing hype around cybersecurity products, and often it’s the best-marketing ones that win, not the best ones.
Often, CISOs are spending budgets on products that are not that good,” he says.
Bridging the gap
Fidelis Cybersecurity, which provides advanced threat defense and incident response services, is frequently called by organizations after major breaches, such as the Home Depot event. Jaeger says there has been an increased number of inquiries from boards—and frequently, the breaches the company responds to have gone undetected for months.
“The board tends to not have a lot of confidence in the company’s ability to monitor and detect network intrusions,” he says.
A white paper titled “Bridging the Gap,” issued by Fidelis in response to the Ponemon study, says it would take three things to address the disconnect: increasing the board’s cybersecurity knowledge, giving the board visibility into the cybersecurity posture of the organization, and increasing the trust between the board and the IT team.
The trust will grow once the first two elements are in place, according to Jaeger. But he recommends going beyond that—putting in place things like incident-response exercises so the boards and the CISOs are used to interacting as well as going through common experiences.
The dialogue between the two sides needs to be recurring, he says.
But it may take the cybersecurity experts in organizations some time to get used to this type of role. Prisco notes that chief information security officer is a relatively new position and not many CISOs are comfortable in the boardroom.
“It’s a matter of having a CISO who can get the point across without … the jargon that makes most senior executives’ eyes glaze over,” he says. “If you can tell the story and show it is affecting the bottom line, you have a better chance of getting the proper tools in place.”
More on cybersecurity and best practices:
Startup takes cybersecurity out of IT department, into C-suite
Study finds C-Suite overconfident about network security
How C-Suite it is: Executives finally give cybersecurity its due
Network systems must build in trust along with security