With security breaches such as Sony, WHSmith and Ashley Madison hitting the headlines every week, the level of security awareness among the general public has never been higher. You could therefore be forgiven for thinking that (at least theoretically) it would be an easy task to impress the importance of information security matters on a board of directors. But company directors have a lot on their plate. After the financial crash of the mid- to late-nineties, economic survival has been at the top of their agenda, almost to the exclusion of everything else. Spending more money on what they deem a potential threat, while "real and immediate" risks continue to proliferate, might thus seem to them a less-than-compelling prospect. Even in less financially volatile times, companies are increasingly under pressure to do more with less, and few companies have the luxury of spending money without having to report back a measurable return on their investment.
A growing threat
Cyber security threats are a growing danger, and their costs to organizations continue to soar. According to a recent UK HM Government survey, 90 percent of large organizations experienced a breach in the past year, which is up from 81 percent in 2014. With security breaches on average costing £1.46-£3.14m, it is not surprising that 11 percent of respondents stated that they changed the nature of their business as a result of the worst breach they suffered. In light of these ever-looming cyber-threats, how does a CISO gain the attention of the board. Furthermore, how does he or she justify future investments in security? In an attempt to answer some of these questions, the Tripwire team has embarked on a number of initiatives to seek real opinions and bring together advice from UK experts, CISOs and industry thought leaders.
Raising real awareness
In May 2015, Tripwire conducted a cybersecurity literacy survey of 101 C-level executives and directors and 176 IT professionals from UK organisations with annual revenues of more than £500 million. The survey was conducted in order to assess these persons' attitudes to information security and to see how well informed they considered themselves to be. The results were superficially quite encouraging. More than half (54 percent) of the C-level executives claimed to have an excellent grasp of the subject and said they were regularly involved in security decisions. An additional 39 percent of respondents felt they had a good or reasonable understanding. Furthermore, 80 percent of the C-level executives stated that their corporate board was cybersecurity literate and adequately understood the issues. However, when IT professionals in the same organisations were questioned, a different picture emerged. Only 71 percent of this category of respondents saw the board as cybersecurity literate, and more than half (54 percent) of those IT professionals also had concerns about the level of knowledge of cybersecurity in their boards. It seems the main issue, from the IT professionals’ point of view, was one of communication. Some felt that a severe lack of active dialogue with the board over security matters was present in their organization. Others felt that information provided to the board was inadequate, while even more complained that they had little idea of what the board actually knew about information security.
Board Talk
With the results of our May survey in mind, we’ve decided to dig a little deeper into the subject. On September 16, we invite Amar Singh, UK CISO for Elsevier; Ray Stanton, EVP Professional Services at BT and Advisory Board Member of ISF; and Gary Cheetham, CISO at NFU Mutual to participate in a panel. Together, these security experts will debate the following questions:
- What details are the board looking for and why?
- How do you engage and manage your board's expectations?
- What language do you use to speak to the board?
- How much emphasis do you place on compliance, risk and security in your communication?
And finally….
- Is there a "Golden Ticket" that gains you immediate access to budget?
Members of the public are welcome to watch this discussion unfold and ask our panel questions. Join the debate! Register Now Title image courtesy of ShutterStock
