4 Signs Your Board Thinks Security Readiness Is Better Than It Is

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/operations/4-signs-your-board-thinks-security-readiness-is-better-than-it-is/d/d-id/1321111

While most boards of directors today consider cybersecurity risks a top
concern for the companies they help govern, their true awareness of the
threats may not be as good as they think, according to recent results of
aPonemon Institute survey that compared directors' perceptions to IT
security executives'. The study showed that there's a gap between how well
the boards believe their charges are doing with security and the perception
by security personnel in the trenches working to protect company assets.
Here are some indications from the survey that boards of directors (BoDs)
may underestimate the cybersecurity risks facing their organizations.



Baseline Knowledge Missing

Even though almost three-quarters of directors report that they're charged
with overseeing risk assessments and audits at their companies, they may
not have the baseline knowledge necessary to really decipher information
and capably lead based on these assessments. The survey showed that only 33
percent of board members consider themselves knowledgeable or very
knowledgeable about cybersecurity. It's not surprising, then that while 70
percent of board members say they understand the security risks their
organizations face, just 43 percent of IT security personnel believe their
boards truly understand the cyber risk landscape.



Overconfidence Endemic To Boards

The lack of knowledge allows many directors to maintain somewhat
Pollyanna-ish views about their organization's security readiness.
Approximately 59 percent of board members rate their cybersecurity
governance practices as very effective. At the same time, only 18 percent
of security pros also believe this to be true.

"This finding reveals the deep divide in the thinking about what
constitutes effective governance practices between board members who are in
charge of overall company performance and those responsible for stopping
data breaches and cyber attacks," the report said.



BoD Not Informed of Incidents

The disparity between breaches that board members know about versus those
that IT security staff have knowledge of hints at a troubling lack of
communication between the board and infosec pros.

Over half of IT security professionals reported that their organizations
had experienced a breach involving theft of high-value information in the
past two years. That's compared with just 23 percent of board members who
believed the same. Furthermore, in many cases, board members are unsure if
their organizations have experienced security incidents. About one in five
directors say they're uncertain if their organization experienced a cyber
attack that disrupted business or IT operations in the past few years and
18 percent said they were unsure if it experienced a breach involved
high-value information.



Directors Don't Ask For Security Measurables

While board members recognize the importance of cyber security—89 percent
say they recognize the reputational and marketplace impacet breaches or
security failures pose—they're not asking for enough information from
security departments. In fact, only 19 percent of boards use any kind of
cybersecurity metrics to keep IT accountable for maintaining an acceptable
level of risk for the organization.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!