Two recent surveys of public company corporate directors – by PwC and Corporate Board Member Magazine/Spencer Stuart–found considerable worry about cyber risk and dissatisfaction with management reporting on cybersecurity. If anything, these surveys may underplay current sentiment since they were conducted before the full impact hit from the SEC’s new guidance on cyber risk disclosures.
Some of the key findings:
While CISOs have long complained about getting facetime with boards in 15-minute shots, they should prepare for a change. Eighty-seven percent of directors surveyed said their boards should spend more time on cybersecurity (PwC). Board members rated cybersecurity as the #1 issue they were most in need of expert advice on (Corporate Board Member Magazine/Spencer Stuart).
Of the roles that report to boards, the CISO ranked at the bottom for presentation skills – just 19% found CISO presentations “excellent” (PwC). Clearly, the burden is on CISOs to communicate to the board in the business terms the board expects to hear – especially raising communication about cyber risk from heat maps or hand-waving FUD to financially based metrics in line with the rest of enterprise risk management. Only 37% strongly agreed that management provides adequate reporting on cybersecurity metrics (PwC). For more on that, read our blog post: Message to Cybersecurity Professionals: Learn the Language of the Business.
After recent years of heavy bottom-line impact from cyber attacks, 82% felt that cyber threats had moved from an IT issue to one that would drive overall strategic change for their companies (PwC). At the same time, only 19% strongly felt that management had identified cyber threats (PwC). That’s part of a general unease that boards feel about management’s grasp of disruptive forces: Just 22% rated as excellent the information management provides on that issue (PwC).
Eighty-two percent said they don’t see the need for a distinct cyber risk committee (Corporate Board Member Magazine/Spencer Stuart). Only 12% of boards have a separate risk committee at all. (PwC) That often means that boards are still placing cyber risk under the purview of audit committees, which are primarily concerned with compliance with accounting and legal regulations, not looking around corners for cyber and other technology-driven risks. For more on that, read this blog post from the FAIR Institute: Should Boards Establish a Separate Risk Committee?
Learn how RiskLens can help you be a business-aligned CISO – listen to our webinar on cyber risk quantification to meet the new SEC reporting requirements.