Tanium teamed up with NASDAQ to shed light on the gap between corporate leaders’ presumed and actual understanding of their own cybersecurity vulnerability. In The Accountability Gap: Cybersecurity & Building a Culture of Responsibility, researchers from Goldsmiths, University of London, identified seven inherent challenges that businesses must overcome to manage cybersecurity vulnerability: cyber literacy, risk appetite, threat intelligence, legislation and regulation, network resilience, response, and behavior.
The relationship between risk and the board is an increasingly complicated dance. The lightning-fast pace of technological and economic change has made Enterprise Risk Management (ERM) a more demanding, hands-on responsibility for directors. And while taking on risk has many strategic advantages for an organization’s growth, cybersecurity has risen to the top of the ERM list — a very different threat requiring a different strategy, language, and ground rules. Cybersecurity vulnerability is a risk that can’t be managed or mitigated. It must be eliminated. An organization can no longer leave the responsibility for cyber exclusively to technical leadership: everyone from the top down should be held accountable for the consequences of cybersecurity vulnerability.
While board members should not be expected to be technology experts, the board should be in a position to ask the right questions about IT benchmarks and best practices within the industry. We found that 91% of board members at the most vulnerable companies are unable to interpret a cybersecurity report, and only 50% reported receiving cybersecurity training.
Boards must understand an organization’s cyber threat landscape — just like any financial risk. But if an organization lacks confidence in its data and the right operational controls are not in place, yet boards don’t understand enough to assess and oversee cybersecurity, who is actually accountable? Board members can do more to help themselves, and technical leadership can do more to partner with the board.
CIOs and CISOs can begin turning around these numbers by providing the board:
As a director myself, I speak to cybersecurity experts on a regular basis and review case studies to keep up to speed. Through my years working in the enterprise and consumer tech industries, I am fortunate to understand IT environments, classes of security technology, and the general language used to describe cybersecurity issues; board members who do not have this background should speak with their company CIO or CISO. At a minimum, information and security leaders should lead an annual “Cyber 101” session and share a glossary of terminology in lay-terms.
Other recommended activities:
The introduction of Sarbanes-Oxley ten years ago was a turning point in company financial oversight and control and completely changed the way fiduciary oversight was handled. While we have not yet met the same tipping point with respect to cybersecurity, oversight of the IT environment is a key element for all public company audit plans. I am encouraged to see the development of cyber risk management frameworks today, and expect that public company boards will ultimately understand and oversee cyber risk frameworks like they do today with financial reporting. Until then, it’s on all board members to take an active role in their own cyber literacy.
The full report is available to download at The Accountability Gap: Cybersecurity & Building a Culture of Responsibility
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.