With the invention of the computer and networks such as the Internet, corporate assets and delivery channels have changed in composition from the physical to the digital. The risks to these assets have also evolved. Now, the risks corporations face are increasingly cyber enabled ones. Not surprisingly, policy makers, regulators, and increasingly, shareholders, have also trained their attentions on corporate cybersecurity and the Boards of Directors, which oversee the management of this cyber risk. Indeed, when it comes to cyber, nowadays, all eyes are on the boardroom. As Securities and Exchange Commissioner Luis Aguilar warned, “boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.”
To see how senior leaders and governance structures are adapting, The Financial Services Roundtable, Palo Alto Networks and Forbes partnered with Georgia Tech in sponsoring the “Governance of Cybersecurity Report” for 2015. The survey results were telling. Cybersecurity has risen to become a boardroom-level issue for nearly two-thirds (63 percent) of the companies surveyed, a significant jump from 2012, when only 33 percent of boards were actively addressing computer and information security.
According to the report findings, the financial services industry has been a leader in this movement. Compared to other sectors, the financial services industry has had one of the largest improvements in Board discussion and active oversight, with 79 percent of respondent financial sector firms indicating that cybersecurity is addressed by their boards of directors (a 35 percent increase from 2012). Additionally, the percentage of financial sector boards that actively consider cyber risks in reviewing and approving supplier relationships shot up to 64 percent from 38 percent in 2012. Financial sector boards also have more board Risk/Security Committees and IT/Technology than any other sector in both the 2012 and 2015 surveys. The sector also leads in the percentage (86 percent) of Chief Information Security Officers (CISOs) it employs.
Other positive findings from the study show that across the sectors, surveyed companies’ senior leaders are reaching outside of their organization for new solutions to address and mitigate cyber threats. Since 2008, 40 percent more organizations have brought in Chief Information Security Officers and 53% of respondents have hired outside risk management consultants.
However, key challenges remain around understanding how best to utilize people, processes and technology to build a prevention mindset into organizations. While 63 percent of respondents said their board regularly or occasionally reviewed their annual security program, only 46 percent said they had participated in a test scenario of the plan. As is often quoted by first responders, you don’t want to be exchanging business cards in an emergency.
In conclusion, while the report indicates that, overall, corporate boards are increasing their cyber focus, there is still room for growth. By implementing some of the report’s recommendations and sharing other best practices across industries, boards and senior leaders can do their part in helping their companies address cyber risks and preserve trust in our digital way of life.