As board members look to set their agendas for 2017, many will include getting a better handle on cybersecurity among their top priorities. They will be looking for information security and risk professionals to provide an accurate assessment of the critical cyber-risks the organization faces. IT audit also has a role to play in assessing that a cybersecurity risk management process is in place and functioning properly and communicating that to the board and management.
Cyber-risk oversight is becoming an increasingly critical job for corporate boards. Yet a new survey finds that many directors may not be equipped with the knowledge and understanding they need to provide that oversight. A lack of knowledge can create a disconnect between technology professionals and directors leading to the potential for breakdowns in IT risk management and cybersecurity.
According to a survey of more than 600 corporate board members released last month by the National Association of Corporate Directors, only 19 percent say their boards have a "high level of understanding" of cybersecurity risks. While that figure is up from 14 percent in NACD's 2015 survey, the association still considers it far too low.
"Directors continue to wrestle with effective oversight of cyber-risk," the NACD stated in its report. "Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge of this growing risk."
While the survey found that 69 percent had "some knowledge" of cybersecurity risks, up from 64 percent, perhaps the most alarming survey result is that 17 percent of respondents admit that their boards had "little-to-no knowledge" of cybersecurity risks. "The gap is most pronounced among those companies in the healthcare sector, where 38 percent of respondents indicate they believe their board has little-to-no knowledge regarding cybersecurity risks," NACD said in its report.
Low Confidence in Cyber-Defense
This general lack of cybersecurity knowledge and understanding by board members aligns with a lack of confidence among directors in their organization's ability to defend against cyberattacks. The NACD survey found that just 42 percent of respondents were "confident or very confident" that the company is properly secured against a cyber-attack, with 53 percent "moderately or slightly" confident and 4 percent not at all confident.
Many cybersecurity experts say technology professionals, including IT auditors, could do a better job educating directors and C-suite executives on cybersecurity and cyber-risk. When it comes to boards that are less IT savvy, says Marius Bosman, director of IT audit at Ball Corp., it can help to provide cases for them to learn from. "I think you need to use an example out of the news, and we've seen many examples. Sit down and explain to them in a really easy fashion or in laymen's terms how an attacker got access to a network and what went wrong." He says directors also need to understand the fact that even if the organization is doing everything it can, it doesn't mean attackers can't get in. Board members should also be informed of detection methods and how quickly the organization can respond to a breach, he says.
Still, Bosman thinks many directors and CEOs are fairly sophisticated about IT risks and understand their importance. "Board are knowledgeable in this area, and most are fairly well educated" says Bosman. "They see a lot of cyber-activity in the news and I think they know all the buzz words and they have a good understanding. However, for us it helps to send our head of IT and our head of IT security to our board meetings to help educate them further and add a little bit of perspective and balance to the conversation," he says.