CISOs, boards not always on the same page


Most boards of directors understand the risk, but many will not invest more in cybersecurity and have different concerns about the impact of a breach.

Chief Strategy Officer Making Report to a Board of Directors During Annual Financial Meeting in the conference Room. Business People / Politicians / Government Officials on a Meeting.
Image: Gorodenkoff/Adobe Stock

The relationship between boards of directors and CISOs could be better these days. According to a report from cyber security firm ProofPoint in collaboration with Cybersecurity at MIT Sloan, while 69% of board members report seeing eye-to-eye with their CISO, only 51% of CISOs say the same thing.

The good news is most (77%) board members surveyed in the Cybersecurity: The 2022 Board Perspective report agree that cybersecurity is a top priority. Most (65%) believe they are at risk of cyberattack in the next 12 months compared to just 48% of CISOs.

Nearly half of board members feel unprepared for a cyberattack

Almost half (47%) of board members said their organizations are unprepared to deal with a targeted attack. And only two-thirds of board members view human error as their biggest cyber vulnerability, despite the World Economic Forum finding that this risk leads to 95% of all cybersecurity incidents.

SEE: Mobile device security policy (TechRepublic Premium)

Board members also often disagree with CISOs about which impacts of a cyber incident are most important. The top concern of boards (37%) was data becoming public, while 34% said reputational damage and 33% said revenue loss were the most serious consequence. CISOs, on the other hand, are more concerned about downtime, disrupted operations and impact on business valuations.

“A failure of board members and CISOs to see eye-to-eye with one another presents significant risk to an organization,” said Lucia Milică, vice president and global resident CISO at Proofpoint. “The CISO needs buy-in from the board, and if they can’t relate to one another, securing necessary cybersecurity investments becomes an almost impossible task.”

The report looked at three factors: The cyber threats and risks boards face, their level of preparedness to combat those threats and their alignment with CISOs based on the CISO sentiments.

CISOs and board members align on where the top cyberthreat comes from

The report did find that board members and CISOs are on the same page when it comes to the top threat they face. Boards and CISOs both ranked business email compromise as their top concern (41%). Boards also are concerned about cloud account compromise (37%) and ransomware (32%), while CISOs ranked insiders as their top threat.

Even so, that awareness did not translate into funding. Although 75% of boards said they understand their organization’s systemic risk, 76% think they have invested enough in cybersecurity and 75% said their data is adequately protected.

“Boards are relentlessly focused on the bottom line and CISOs often mired in technical language,” said Milică. “This lack of communication and shared understanding of cyber risk can put organizations at a tremendous disadvantage when attempting to combat today’s threats.”

In what many may consider a surprise, 80% of boards agreed that their organizations should be required to report a material cyberattack to regulators within a reasonable timeframe. Only 6% said they disagree.

“While there may be increased costs to adhering to new cyber regulations, boards are finding the price of a delayed response without assistance from regulators to be much greater,” said Milică.

About the report

The Cybersecurity: The 2022 Board Perspective report looked at survey responses from 600 board members at organizations with 5,000 or more employees from different industries across 12 countries including the U.S., Canada, the U.K., France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil and Mexico.