Price Waterhouse surveyed 500 business executives, law enforcement services and government agencies and here are some of the results:
- 28 percent say that their security leaders make NO presentations to the board ever
- 26 percent say that their boards receive a single security presentation per year.
Neither of these answers warms my heart, but they don’t surprise either.
That means that only a third of the boards receive regular (typically quarterly) updates on cyber risk.
One third of the respondents from small companies and 18% of the security leaders at large companies say they never present to their boards (this is the opposite view of the numbers above – what the CISOs say vs. what the boards say).
- Only 42% of the respondents view cyber security as a corporate governance issue. I guess when the rest of their companies are breached and they have to spend millions of dollars to deal with it, that won’t be a corporate governance issue either. I guess.
- 30 percent say that no board members or committees are involved in cyber security. That means that 70% have some form of involvement.
What all this tells me is that Information risk folks still have some room to go to explain to boards why they should care.
Recently, we had 3 CEOs or similar roles that have lost their jobs over breaches (Sony, Target and Ashley Madison). That certainly is a board issue.
Costs of dealing with breaches run from a million dollars on the very low end to several hundred million dollars on the high end. Either expense should be one that boards are concerned about.
And then there is reputation. Whether you are in retail (Target), government (OPM) or healthcare (Anthem) to name a few, when people are asked about these companies, what they remember is that they were breached.
That is great brand recognition, but for the wrong reason.
This does not mean that we should hang up our security cleats and go out and get drunk.
Rather it means that we need to continue to educate boards so that they understand that it is a governance issue and that if they ignore it, so will their CEOs.
The education needs to be in business terms because – IT RISK IS BUSINESS RISK. If you present it in any other context, you are highly unlikely to be listened to. What is the impact of a breach on sales, fines, litigation, brand reputation and distraction of key executives? These are things that board members can understand. Do not tell them about the number of malware laced emails that you stopped – they don’t really care.
Just my two cents.
Information for this post came from CSO Online.