A new study by Tripwire reveals that US IT professionals are less confident in their board’s cybersecurity literacy than their UK counterparts. While 71% of UK IT professionals said that they consider their corporate board to be cybersecurity-literate, only 57% of US respondents gave the same answer.
Tripwire’s study surveyed 200 IT security professionals at US companies with annual revenues of more than $5 billion, and 151 IT professionals from UK organizations with annual revenues over £500 million. It evaluated cybersecurity risk decision-making and communication between IT security professionals, executive teams, and boards.
Cybersecurity is a board responsibility
When asked if one of their company’s board members is responsible for cybersecurity, only 50% of US respondents answered the question affirmatively, compared with 75% of UK IT professionals.
32% of US respondents believed the information presented to the board did not accurately represent the urgency and intensity of the cyber threats targeting their organization. Only 13% of UK IT professionals answered similarly.
Impact of data breaches on boards’ cybersecurity awareness
An interesting finding of the study is the impact that high-profile data breaches have had on boards’ cybersecurity awareness.
34% of US IT professionals said that the Target breach had the biggest impact on their board’s awareness, followed by the Sony Pictures breach (23%) and Snowden leaks (17%).
UK professionals, on the other hand, consider a security breach at their organization (34%) to have had the biggest impact on their board’s cybersecurity awareness. The Target and Sony breaches had a similar impact with 17% and 16% respectively, while the discovery of the Heartbleed security bug also had a significant impact, according to 20% of respondents.
Tackling cybersecurity effectively
Many firms in the US (including Google Apps, Amazon Web Services, and Microsoft) are implementing ISO 27001 – the internationally recognized best-practice framework for an information security management system (ISMS) – to tackle the cyber threat. It helps businesses set out a framework to identify the risks to their confidential information and put appropriate controls in place to reduce those risks. Implementing ISO 27001 also gives the board reassurance that cybersecurity is dealt with in an effective manner using international best practice.
The Standard is unique in that it is the only cybersecurity framework to incorporate all aspects of the cyber threat, including people, processes, and technology.
In fact, registration to the Standard rose 17% in the US in 2014, according to the latest ISO figures, and the US is in the top ten countries worldwide for registration.