Boards of Directors Rising to Cybersecurity Challenge

Cyber risk has become a permanent fixture on the agenda in boardrooms across the world, as companies’ accelerated digital transformations during the pandemic exposed them to increased attacks. But while boards are fully alert to the fact that cyber risk is business risk, there’s still a need for greater depth of knowledge and discussion at board meetings, according to business and security leaders surveyed by Mimecast. 

As boards continue to hone their focus, they are expected to drive cyber strategy, culture, and budgets to new levels in the coming months and years. For boards to become more cyber-savvy, though, CISOs and other security executives also need to become more “board-savvy”, connecting the dots for directors between cybersecurity measures and business outcomes. 

These and other findings come from in-depth interviews with 78 executive leaders in 13 countries, delving into the perceptions of cyber risk held by the C-suite and the board. Speaking anonymously, respondents were able to give frank appraisals of the state of cybersecurity governance. For example, a Canadian senior IT director in the entertainment sector shared that, “On a rating scale of one to 10, where one is worst and 10 is best, I would rate the board level of understanding about cybersecurity at seven.”

Boards Sharpen Focus on Cybersecurity

Much of what we heard in these interviews underscores how the recent acceleration of pre-pandemic trends such as digital transformation and rising cybercrime have elevated boards’ level of attention to cybersecurity. Comments included:

• “Ever since the mass migration to digitization happened, cybersecurity and cyber risk have been top concerns in the boardroom.”— CTO for a UK entertainment company
• “Since COVID-19 and the increase in online and ecommerce options, you could say there has been a sea change in the perception of cybersecurity.”— South African healthcare CIO
• “Since the pandemic, almost all the [board] meetings have had coverage around cybersecurity-related topics.” — Senior IT director in the U.S. public sector
• At this point, “I feel the board considers cyber risk to be just another business risk — but one that has a higher potential impact.” — Australian CIO

Supporting these views, the National Association of Corporate Directors (NACD) in the U.S. reported this year that cybersecurity was one of board directors’ top five concerns (ranking below inflation and the competition for talent but tied with economic uncertainty and digital transformation).[1] Eighty-three percent of directors said their board’s understanding of cyber risk had significantly improved since 2020. That was when 61% of directors had said they’d be willing to compromise on cybersecurity to achieve business objectives, and 70% said they were already spending enough time on the topic in meetings.[2] 

Yet, the change at the top has not been wholesale. Many board members still maintain a reactive stance to cybersecurity, turning their attention to the issue only if their company is attacked or they see press coverage of a breach. As a senior IT director in Singapore put it: “They respond quickly when major cyber incidents are reported in the media, but they soon forget about the issue until the next significant cyber incident.”

Boards Still Suffer Knowledge Gaps

Board awareness of cyber risk only goes so far, according to our survey participants. They identified several ways that board members with knowledge and experience could build board decision-making capacity beyond the current level. For instance, knowledgeable board members could help elevate the understanding of their fellow members, understand the scale of a problem faster, sustain a sense of urgency about cybersecurity and promote investment in the right mix of technology, training, and other elements of a stronger cyber strategy.

Some boards have greater cyber-sophistication than others. Where it’s lacking, “it’s challenging for us to achieve foolproof security, since most of the board members don’t have relevant experience in cybersecurity,” said a Canadian IT manager in the healthcare industry. By contrast, a CTO in the United Arab Emirates financial sector finds himself in a better situation. “We’re kind of ahead of other banks, I believe, because a number of board members have strong cybersecurity expertise,” the CTO said. “The biggest advantage of this is that these specific board members can educate other board members on cybersecurity-related matters. That's the reason why most of our board members are highly receptive to the idea of focused training programs for employees across all levels.”

In the NACD annual report, four in 10 directors said they, too, favor adding a board member with cybersecurity experience. They’re motivated not only by the growing risk of attack but also increasing regulatory scrutiny.

Better Communication Can Bridge Board Gaps

Whether it’s a financial loss from a ransomware attack, the impact of company downtime due to email-borne malware or reputational damage caused by a data breach, cyber risk is now top of mind for most boards of directors. Still, nurturing a sustained and meaningful board commitment to cybersecurity is no easy feat for security executives, given the many important matters competing for board attention.

The executives we interviewed shared some of their communication tactics, ranging from board presentation tips to changing mindsets, including:

• “My advice to CISOs is to not turn everything into a crisis. Be judicious with what you raise to avoid becoming ‘noise.’ Keep your powder dry for the big incidents you want to raise and get the board and senior leaders to influence change.” — U.S. tech sector CISO
• “The challenge for CISOs is to communicate to the board meaningfully because most of the ways of quantifying other business risk do not apply to cybersecurity. I try to keep the message simple and focus on metrics that show how well we’re doing with our cybersecurity objectives.” — U.S. tech sector CISO
• “Sometimes [board members] do not understand the cost of a particular kind of attack. That’s when I have to open up my business brain (leaving aside my technical and security know-how) and attempt to convey the quantification of the loss to them.” — Singapore CTO in the entertainment industry

Layered Security Frameworks Provide Value and Efficacy

In addition to keeping board members informed and ensuring they feel supported both during times of crisis and everyday operations, it is important for businesses that operate in complex and volatile environments, enduring more sophisticated threats, to implement layered security frameworks that can meet growing budget concerns by reducing costs and allowing security teams to do more with less.

With more than 90% of attacks coming into businesses through email, CISOs need to concentrate their efforts on email security. Reminding board members of the importance of risk management frameworks and tabletop exercises as well as how these important tools can reduce costs and empower security teams can give board members a clear view of the consequences of poor cyber hygiene.

CISOs should aim to create a defense-in-depth model that enables cybersecurity teams to detect and remediate cyberthreats quickly using a collection of best-in-class security products that share data and analytical insights, offering true layered security that helps SOC teams link prevention, detection, investigation and response across tools and businesses.

Security-Aware Cultures Reduce Phishing Success

Phishing persists because attackers can continually adapt their approach, and automation tools and phishing kits are making it easier for a less skilled cybercriminal to cast a wider net, which can cause greater damage to businesses. Against the backdrop of the global pandemic, the recent State of Email Security report revealed that a full 97% of businesses have experienced phishing attacks, and 59% have reported a significant uptick in the phishing threats they face. 

To mitigate these persistent and adaptable threats, CISOs should focus on developing a security-aware culture throughout the entire business, including board members. Changing human behavior isn’t simple or fast, however, so cyber awareness training and remediation efforts take time to yield results compared to the implementation of email security or other technology tools. That’s why more leaders are realizing how valuable a culture that prioritizes cybersecurity is to long term safety. Creating such a culture requires persistence, creativity, and a highly visible commitment from leadership.

The Bottom Line

Cyber risk is business risk. Boards of directors have now prioritized this understanding, according to new research, but they still have room to grow into their cyber-governance roles. For their part, security executives can help bridge any gaps in board knowledge and experience by improving the way they communicate with the board about cyber risk and defenses. Read more about this developing situation in Mimecast’s latest report: “Behind the Screens: The Board's Evolving Perceptions of Cyber Risk.” 

[1] “NACD Annual Public Company Survey Reveals Key Boardroom Trends for 2022,” National Association of Corporate Directors

[2] “NACD Public Company Board Governance Survey for 2020,” National Association of Corporate Directors