Despite a global refocusing on cybersecurity priorities over the last few years, nearly half of board members at organizations across the globe feel unprepared to respond to a targeted cyberattack, and nearly two-thirds say they are at risk within the next 12 months, data which suggests a disconnect between boards of directors and CISOs.
That is according to a new study from cybersecurity company Proofpoint and Cybersecurity at MIT Sloan (CAMS), which surveyed 600 board members at organizations with at least 5,000 employees across 12 countries. The research found that most board members have a pessimistic view of their organization’s ability to defend itself despite 77% of respondents agreeing that cybersecurity is a top priority and 76% saying they discuss the topic at least monthly.
Further, 75% believe their boards clearly understand the systematic risks their organizations face and 76% claim to have made adequate investments in technology, but technology and tooling is only part of the solution and may be relied upon too heavily, the survey suggests.
According to the World Economic Forum, human error leads to 95% of all cybersecurity incidents, but only two-thirds of board members told Proofpoint that human error is their biggest vulnerability. This suggests that board members are out of touch with the basic cybersecurity practices that can prevent most cyberattacks.
The results of this survey of board members contrasts with Proofpoint’s 2022 Voice of the CISO report. Sixty-five percent of board members say their organization is at risk of a material attack, but only 48% of CISOs feel the same. That could be the result of a larger disconnect, as 69% of board members say they don’t see eye-to-eye with their chief cybersecurity experts. Meanwhile, just 51% of CISOs say the same about their board members.
Other areas of disconnect were in top perceived threats. Board members ranked email fraud and business email compromise as their top security concern, and although CISOs also ranked that highly, they see insiders as their top threat.
Other disagreements are in the perceived consequences of a cyber incident. Board members feel that internal data becoming public is at the top of that list, followed by reputational damage and revenue loss. However, CISOs say they are more worried about downtime, disruption of operations and impact of business valuations.
Lucia Milică, vice president and global resident CISO at Proofpoint, calls it encouraging that boardrooms are finally taking cybersecurity seriously. However, they still have a long way to go to understand the threat landscape and prepare for material cyberattacks.
“One of the ways boards can boost preparedness is by getting on the same page with their CISOs,” Milică says. “The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organizational success.”