The Gap Between The Board and IT Security

The Ponemon Institute released a study that compares the views of about 7,000 Board members and 11,000 IT security people and the results show some interesting data.

The first question is ” Our board of directors understands the security risks to the organization”.  While 70% of the board members agree or strongly agree with that statement, only 43% of the IT people agree or strongly agree with it.  That is a pretty big gap.

Given that board members make important cyber security decisions, their knowledge in that domain is important.  Here are a few select answers from the survey:

  • 9% of the board members said they were very knowledgeable about cyber security.  26% said that they had minimal or no knowledge.
  • 59% of the board members said that the company’s cyber security governance practices are very effective.  18% of the IT security people agreed with that statement.
  • 18% of the board members said they were unsure if the company had a breach that resulted in lost or stolen records.
  • 21% of the board members were unsure if the company had a cyber attack that disrupted business operations.
  • 79% of the board members said that cyber security governance is not on the board’s agenda because it is best handled by company management.  51% said it was due to concerns about director liability.  So half of the directors said that they did not want to deal with cyber security because they thought they might get sued.  Given that a cyber breach could cost the company millions of dollars or even have the company go out of business, that seems like a breach of fiduciary responsibility.
  • 69% of the board members are concerned about their potential liability if the company has a serious breach.  That would seem to indicate that they should do their best to make sure that the company does not suffer a breach.
  • Currently, the SEC has  issued voluntary guidelines regarding disclosing cyber breaches.  83% of the board members of companies that have suffered a breach think the SEC will issue mandatory regulations.  Only 17% of those who have not had a breach think the SEC will do that.
  • 81% of the board members think that if the SEC issues those regulations, board involvement will increase.

So, while this indicates boards are concerned, absent regulations requiring disclosure and due to concerns of getting sued, the majority of board members  prefer to avoid the issue.

The study is available here.

Leave a Reply

Your email address will not be published. Required fields are marked *