First study of corporate board members’ cyber risk concerns shows progress – and persistent gaps to overcome
Focal Point Data Risk, LLC (Focal Point), one of the largest pure-play data risk consulting firms in North America, today announced the release of the inaugural Cyber Balance Sheet Report. This first-of-its-kind research study uses in-depth surveys and interviews with corporate board members and chief information security officers (CISOs) to conclusively identify specific cyber risk issues resonating in boardrooms. Equally important, the unprecedented research reveals how CISOs and boards can quickly improve communication and collaboration in this critical area.
The Cyber Balance Sheet Report was independently produced, after several months of intensive research, by the Cyentia Institute (Cyentia), a cybersecurity research firm, co-founded by Dr. Wade Baker, who is widely recognized as the creator of the Verizon Data Breach Investigations Report (DBIR). In the study, Focal Point and Cyentia conducted comprehensive interviews with more than 80 board members, CISOs and subject matter experts. The report’s findings offer a rare window into the cyber risk dialogue in the boardroom, contrasting with many years of assumptions and security vendor characterizations.
“For years pundits have been saying ‘Cyber needs to be a boardroom issue,’ but the Cyber Balance Sheet Report replaces this sound bite with the most illuminating look yet at where cyber issues are making headway with boards or falling off the table,” said Yong-Gon Chon, CEO of Focal Point. “The report reveals important indicators around cyber awareness at the top levels of governance. We have evolved from cybersecurity being a component of IT performance to becoming an issue that prompts broader questions about protecting valuable company data. Yet, as the report discloses, it’s the nature of these questions and how CISOs respond that determines how far oversight and accountability still have to evolve.”
Key insights include:
- More talk of “guidance” than “protection” – CISOs report they spend most of their boardroom time “giving security guidance” on business enablement and loss avoidance. Surprisingly, CISO respondents reported they spend far less time discussing “data protection” and “brand protection,” despite widespread coverage of how breaches affect intellectual property and trust.
- Boards want a “helicopter view” of cyber risk – Board members were five times as likely to cite “risk posture” as a key security metric compared to CISOs and 13 times as likely to say the same about “peer benchmarking” – showing boardrooms’ greater concern for the “big picture.” Board members prefer this helicopter view of the cyber battlefield, versus CISOs’ day-to-day view of threats and trends more analogous to driving tanks through the mud.
- Assumptions rule the world – Board members report being inundated with security data and often assume CISOs armed with this data have things under control. One CISO was told, “We do not understand everything you are telling us, but we have a lot of confidence you are doing the right thing.” This refrain underscores a lingering divide between how security teams inform boards on issues impacting the bottom line.
“Pending legislation, shareholder pressure and media attention are all pushing board members to take responsibility for their organizations’ cybersecurity. As this happens, it’s important to understand the questions that board members are asking and measure whether CISOs are providing the answers,” said Baker, the lead researcher on the report. “This is where the Cyber Balance Sheet Report comes in. We interviewed scores of board members, CISOs and industry experts, and the report we developed offers the first-ever look at how boards are thinking about these critical issues.”
The complete Cyber Balance Sheet Report is available for download here.
Follow Focal Point Data Risk
About Focal Point Data Risk
Focal Point Data Risk, LLC is a new type of risk management firm delivering a unified approach to addressing data risk through a unique combination of service offerings. Focal Point brings together industry-leading expertise in cybersecurity, identity governance and access management, data privacy, analytics, internal audit and hands-on training services – giving clients everything they need to plan and develop effective risk and security programs. By integrating these services, we provide the resources necessary for protecting and using data across entire organizations. Simply put, Focal Point is the next generation of risk management. Visit https://focal-point.com for more information.