Based on a survey of C-suite executives done in connection with Cybersecurity at MIT Sloan or CAMS, the report found that 77% of board members agree that cybersecurity is a top priority for their board. More than three-quarters of respondents said that their board discusses the topic of cybersecurity at least monthly and consequently, that proportion believes their boards clearly understand the systemic risks their organization face. Likewise, more than three-quarters said they believe their company has made adequate investments in cybersecurity.
The headline figures sound positive, but the report notes that the optimism may be misplaced. Nearly two-thirds of board members surveyed believe their organization is at risk of a material cyberattack in the next 12 months and almost half feel their organization is unprepared to cope with a targeted attack.
Perhaps indicating growing awareness of the issue, two-thirds of respondents identified human error as their most significant cybersecurity vulnerability. However, the report argues that the figure should be much high, since statistics suggest that human error leads to 95% of all cybersecurity incidents.
“It is encouraging to see that cybersecurity is finally a focus of conversations across boardrooms,” Lucia Milică, vice president and global resident CISO at Proofpoint, said in a statement. “However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organizations for material cyberattacks.”
Other findings include board members ranking email fraud and business email compromise as their top concern at 41%, followed by cloud account compromise at 37% and ransomware at 32%. The numbers contrast somewhat to chief information security officers who, while also identifying email fraud/BEC and cloud account compromise as a top concern, instead identified insiders as their top threat, whereas board members rate insiders as a lower concern.
Board members were also found to disagree with chief information security officers about the most critical consequences of a cybersecurity incident. Internal data becoming public is at the top of the list of concerns for boards at 37%, followed closely by reputational damage at 34% and revenue loss at 33%. CISOs, on the other hand, were found to be more worried about significant downtime, disruption of operations and impact on business valuations.
The report also found that the relationship between boards and CISOs has room for improvement. Some 69% of board members report seeing eye-to-eye with their CISO, while only 51% of CISOs feel the same.
“Board members need to look for ways to make CISOs their strategic partners,” noted Dr. Keri Pearlson, executive director at Cybersecurity at MIT Sloan. “With cybersecurity risk front and center on boardroom agendas, a better alignment of CISOs’ and boards’ cybersecurity priorities will only serve to improve their organizations’ protection and resilience.”