New survey suggests high board interest in cybersecurity, but CISOs are poor communicators

General counsels would benefit from additional cybersecurity risk expertise

A survey of nearly 200 directors of public companies reveals that 80% of companies now discuss cybersecurity in the boardroom. Alarmingly, however, one in five companies admit to only discussing it after an incident had occurred internally or within their industries.

Interestingly, the survey shows that 35% of companies discuss cybersecurity at every meeting, while 46% discuss it at most meetings.

The research also shows that, in most instances, the CEO is held responsible for a data breach. This clearly shows that the responsibility for attacks has shifted to being viewed as a broader business issue, moving away from resting solely with the CISO and the security team.

Boards not concerned about the security risks of introducing new products

While the board’s interest in cybersecurity is heartening, the report shows that security lists are ranked second last in their list of risks when introducing a new product or service to the market. One director stated that “the more you introduce risks, the less user friendly” the product becomes. The report suggests that there may be a misconception about how thoroughly the product is tested for vulnerabilities before its release.

Studies by both SANS and IDG Research show that the majority of software applications produced are never assessed for vulnerabilities (62%, according to IDG Research). Ironically, more than 70% of respondents in the Cybersecurity in the Boardroom report have significant concerns about risk from third-party software in their supply chains.

CISOs should become better communicators

The report also suggests that the CISO should take practical steps to communicate more effectively, and to translate cyber risks into business terms. Expertise in crisis communications was also considered an essential element of the CISO’s range of skills. Nearly two-thirds of respondents indicated a strong preference for either risk metrics or high-level strategy descriptions, rather than descriptions of security technologies. Only 9% wanted information on the security audit and compliance status, while 1% were interested in actual security anecdotes.

While it’s refreshing to see cybersecurity risk move higher on the board’s agenda, companies should move towards adopting a more comprehensive approach to managing information security.

ISO 27001 is the world’s leading information security standard, delivering numerous benefits for those organisations registered to this international standard.

IT Governance offers a unique blend of ISO 27001 implementation solutions tailored to suit every size of organization and budget. The ISO 27001 ‘Get A Little Help’ package is a complete DIY package, which includes the best-selling ISO 27001 documentation toolkit, three essentials standards from the ISO 27k series, two leading publications, and the definitive risk assessment software, vsRisk™.

Why choose IT Governance for ISO 27001?

  • Our service is unique – you cannot get an equivalent blend of tried and tested implementation resources (including expert guidance, books, software, training, and professional services), anywhere else in the world. There’s no need to source additional support or resources – we do it all.
  • IT Governance is the only company in the world offering global online access to training and consultancy services for ISO 27001. You will have direct access to world-class expertise in the most efficient and cost-effective format available.
  • Using IT Governance enables you to use your registrar for what they do best (registration audits), and IT Governance for what we do best (cost-effective, pragmatic implementation).
  • 24/7 online delivery of training and services will save your company the costs and delays traditionally associated with management system implementation – such as having to arrange travel, expenses, and office space.
  • A dedicated account manager who can help you find the most appropriate solution for your specific needs is always a phone call or email away.
  • We bring over ten years’ experience helping organizations to implement an ISMS and achieve registration to ISO 27001.

ISO 27001 Packaged Solutions

No Responses