A new survey from the Ponemon Institute and Fidelis Cybersecurity highlights some concerning data about the state of cybersecurity. Defining the Gap: The Cybersecurity Governance Survey shares the results of the study and finds a disturbing rift in cybersecurity knowledge between those who make decisions and manage the budgets and those who have to implement and manage the security measures.
Ponemon surveyed more than 650 board members and IT security professionals (CIOs, CTOs, CISOs, and others) to get perspective on the level of cybersecurity knowledge and involvement by board members. The board members are ultimately responsible for governance of cybersecurity efforts, but many seem to lack the basic knowledge necessary to make informed decisions when it comes to managing the cybersecurity posture for the organization.
A press release from Fidelis explains, “Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur. Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.”
Some of the key findings of the report are:
· Lack of Critical Cybersecurity Knowledge at the Top
76 percent of those surveyed indicated that boards review or approve security strategy and incident response plans. However only 41 percent of board members claim to have expertise in cybersecurity and another 26 percent said they have minimal or no knowledge of cybersecurity.
· Limited Visibility into Breach Activity
59 percent of the board members surveyed believe their organizations’ cybersecurity governance practices are very effective but only 18 percent of IT security professionals agree. Ponemon and Fidelis found that cybersecurity is on the agenda for 65 percent of the boards surveyed but most board members are unaware of threat activity or whether or not their organization has been breached in the past.
· Absence of Trust Between Boards and IT Security Professionals
Seven out of ten board members believe they understand the cybersecurity risks facing the organization, but only 60 percent of IT security professionals agree. The gap between the two creates a lack of trust and confidence between those who make the decisions and those who have to manage cybersecurity in the trenches.
· Target breach was a watershed moment
65 percent of board members and 67 percent of IT security professionals reported that the Target data breach had a significant impact on the board’s involvement in cybersecurity governance. Although there are seemingly major data breaches on a weekly basis there was something about the Target breach in particular that sparked a change in how cybersecurity is managed.
- The SEC will drive drastically increased board involvement
Only 5 percent of board members and 2 percent of IT security professionals say they actually followed SEC guidelines and disclosed a material security breach to shareholders. More than 70 percent of board members surveyed and more than 80 percent of IT security professionals surveyed believe the SEC will make the guidelines a mandate and that will significantly change the board’s involvement in cybersecurity governance.
“As the breadth and severity of breaches continues to escalate, cybersecurity has increasingly become a board level issue,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “The data shows that board members are very aware of cybersecurity, but there is still a lot of uncertainty and confusion. Many lack knowledge not only about security issues and risks, but even about what has transpired within their own companies, which is shocking to me. Without an understanding of the issues, it’s impossible to reasonably evaluate if strategies and response plans are effectively addressing the problem.”
We’ve had a lot of breaches and a lot of surveys over the years. It always seems like organizations are more aware and more focused—dedicating more money and resources to security. Yet, somehow it also seems like we make very little progress and every new data breach is another “wake up call” that will go largely unheeded.