As cyber attacks become more costly, disruptive, and a threat to businesses cybersecurity governance is quickly becoming a priority for boards. Some boards have added cybersecurity expertise as a new director’s qualification to their rosters. Others rely on contractors and third party service providers to bring cyber-risk expertise into the boardroom. Some are even employing a controversial technique: hiring hackers from red teams to test the company’s systems and discover which vulnerabilities they may have.
But for many boards there is a gap between their declared goals and the actions they take to address those priorities. Our research has shown that only 69% of board member report they regularly interact with their CISOs. A significant portion of these board members only communicate with their CISOs when they are presenting to the board. These gaps must be addressed in order to ensure that the boardroom is able to check out here have a dialogue and be aware of cybersecurity risks.
To bridge the cybersecurity gap, it is crucial to make cybersecurity a part of every board and to be able to engage directors in meaningful discussions regarding the risks they face. This means changing the way the conversation is conducted in the boardroom. For instance, introducing an agenda item for cybersecurity and pre-read material to be used in meetings for more detailed discussions on cybersecurity issues. It is also crucial to make cybersecurity a priority for the board and develop an environment that promotes security by way of the tone of voice that comes from the top, and reward for those who raise awareness about risk.