SANTA CLARA, Calif., and WASHINGTON, Oct. 2, 2015 – A new global study, Governance of Cybersecurity: 2015 Report, developed by the Georgia Tech Information Security Center (GTISC) and supported by Forbes, the Financial Services Roundtable (FSR), and Palo Alto Networks, reveals that there has been a dramatic increase in the attention that boards and executives are paying to cybersecurity risk management. 

The survey polled board directors and executives from Forbes Global 2000 companies, and the report compares survey results from three previous surveys conducted in 2008, 2010, and 2012. 


The survey results indicate that, since 2008, boards and executives have been making concerted efforts to address cyber risks. Highlights of the 2015 survey and comparisons against previous survey results include:

  • Cybersecurity has risen to become one of the top boardroom issues, with nearly two-thirds (63%) of the survey respondents actively addressing computer and information security, up from 33 percent in 2012.
  • Most boards – 53 percent – have established a Risk Committee separate from the Audit Committee, up from 8 percent in 2008, which now has overtaken responsibility for oversight of cyber risk from the Audit Committee.
  • Boards today are paying a great deal more attention to cyber insurance coverage – 48 percent of the respondents said their boards were focusing on cyber insurance, up from 28 percent in 2012.
  • Boards also are placing a much higher value on risk and security experience when recruiting board directors – 59 percent of respondents said their board had a director with risk expertise, and nearly a quarter (23%) had one with cybersecurity expertise.


“More companies than ever before, including the financial services industry, consider cybersecurity threats a major executive-level problem and are taking significant steps to protect their customers and their businesses,” said FSR president and CEO Tim Pawlenty.

“The 2015 Governance of Cybersecurity report clearly reflects a sea change from the attention boards were paying to cybersecurity issues in the 2008, 2010, and 2012 surveys,” said Jody Westby, author of the series of survey reports and CEO of Global Cyber Risk, LLC and adjunct professor at Georgia Institute of Technology. “This report shows that, for the first time, directors and officers understand they have a fiduciary duty to protect the digital assets of their companies and are paying more than cursory attention to cyber risks; it is a welcome change that will help protect shareholders and customers.” 

“It’s excellent to see that corporate executives are dramatically increasing efforts to manage cyber risks.  Establishing an appropriate dialogue between technical experts and the executives who can prioritize resources is essential to effectively secure an organization. However, this increased attention must be coupled with appropriate action to apply the right combination of people, technology and processes to secure computing environments; this starts with establishing a breach prevention mindset.  This study provides a basis for organizations around the globe to start having more discussions on just how to achieve this,” said Ryan Gillis, vice president of Cybersecurity Strategy and Global Policy at Palo Alto Networks. 


The 2015 report compares survey results across critical infrastructure sectors and geographic regions and indicates that all industry sectors increased attention to cyber issues at the board and executive levels. Key findings include:

  • The financial sector far exceeds other industry sectors with 86 percent having a board Risk Committee separate from the Audit Committee, followed by the IT/Telecom sector at 43 percent.
  • North American and European boards are paying significantly more attention to cyber risks (85% and 58% respectively, up from 40% and 19%), while Asian boards showed no increase in attention to these issues (38% in 2012 and 2015).
  • North American board attention to cyber insurance doubled from 2012 (70% in 2015 vs. 35% in 2012), European boards had a 26 percent increase, whereas Asian boards showed a 3 percent increase.
  • Most Asian boards (98%) have a Risk Committee, whereas only 43 percent of European boards and 42 percent of North American boards have one.
  • The industrial and financial sectors showed the largest increase in attention to cyber issues, and all sectors showed marked improvements in engaging in best practice activities to manage cyber risks.

More detailed financial industry findings can be found in the Financial Services Roundtable press release.


There is still room for improvement; the study shows key challenges remain in some critical areas:  

  • It is still common for CISOs to report to CIOs (40% do), even though that reporting structure can create segregation of duties issues.
  • While 63 percent of respondents said their board regularly or occasionally reviewed their annual security program, only 46 percent said they had participated in a test scenario of the plan. 
  • Boards need to ensure their organization’s security teams have the resources necessary to protect their digital assets; only 50 percent of the respondent boards are reviewing security budgets.


Cybersecurity governance is the focus of an FSR panel discussion today at 12 p.m. ET. 

For more information about the panel, and to access a livestream, visit:

For a full copy of the GTISC Governance of Cybersecurity: 2015 Report, visit:

For additional insights, visit the Palo Alto Networks Research Center blog:



The Financial Services Roundtable represents the largest integrated financial services companies providing banking, insurance, payment and investment products and services to the American consumer. Member companies participate through the Chief Executive Officer and other senior executives nominated by the CEO. FSR member companies provide fuel for America's economic engine, accounting for $92.7 trillion in managed assets, $1.2 trillion in revenue, and 2.3 million jobs. Learn more at


Located in Atlanta, Georgia, the Georgia Institute of Technology is a leading research university committed to improving the human condition through advanced science and technology.  Ranked as the #7 best public university, Georgia Tech provides a focused, technologically based education to more than 21,500 undergraduate and graduate students. GTISC was established in 1998, when Georgia Tech hosted the Sam Nunn Policy Forum. Developed from Senator Nunn’s concept of educating citizens about important issues, the focus of the forum was the critical and strategic role of information security to the business community, to private citizens, and to all levels of government.  Jody Westby is an Adjunct Professor in Georgia Tech’s School of Computer Science and affiliated with GTISC.


Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide.  Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets.  Find out more at


Erika Reynoso

GTISC and GA Tech
Jody Westby
202 255-2700

Palo Alto Networks
Jennifer Jasper-Smith