According to a recent Proofpoint report, there is increasing agreement among board members and Chief Information Security Officers (CISOs) in recognizing cyber threats. While boards understand the importance of cybersecurity, many still believe they are unprepared for cyberattacks. Concerns about supply-chain attacks, AI-related risks, and a shift in healthcare boards’ approach to cybersecurity are also highlighted in the report. Despite increased investment, this alignment has yet to translate into significant changes in cybersecurity posture.
Boards acknowledge the looming cyber threats, yet Chief Information Security Officers (CISOs) feel ill-equipped. A leader from Proofpoint commented on new research that compared the perspectives of board directors and CISOs, stating that it remains challenging to translate heightened awareness into effective cybersecurity strategies for safeguarding people and data.
A recent report scrutinizing the cybersecurity landscape within boardrooms, along with the level of communication and collaboration between boards and hospital Chief Information Security Officers, indicates a closer alignment between these entities. However, it also underscores the need for further efforts to establish a unified response to cyber threats.
Significance:
Published on September 6th, Proofpoint’s second annual Board Perspective report delves into three crucial areas: the cybersecurity threats confronting boardrooms, their readiness to counter these threats, and their alignment with CISOs. The report draws insights from surveys conducted in June, encompassing 659 board members from organizations with 5,000 or more employees across various sectors, including healthcare. Participants from countries such as the U.S., Canada, the U.K., France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico shared their perspectives.
Board Perspectives:
While 73% of board directors regard cybersecurity as a priority, 72% believe that their boards possess a clear understanding of the cyber risks their organizations face. Moreover, 70% believe they have made sufficient investments in cybersecurity. Nonetheless, these sentiments of awareness and investments do not translate into adequate preparedness, according to the board directors surveyed.
One notable paradox emerges from the data: 84% of board members anticipate an increase in their cybersecurity budgets next year, while 53% still perceive their organizations as unprepared to respond to a cyberattack within the same timeframe.
Key Findings:
The report highlights an improvement in interactions and relationships between CISOs and boards. Over half of the directors (53%) report regular interactions with security leaders, representing a 6% increase from the previous year. Similarly, CISOs reported improved relationships with the C-suite in early February.
Both board members and CISOs express shared concerns, with malware ranking as their top worry (40%), followed by insider threats (36%) and cloud account compromises (36%). However, boards appear more confident in their organization’s ability to protect data compared to CISOs, with 75% of board members expressing confidence compared to 60% of CISOs.
Third-Party Attacks and Future Concerns:
Notably, only 26% of board members consider supply-chain attacks a top concern, despite the rise in such incidents. This might be linked to the finding that 64% of CISOs believe their organizations have appropriate controls to mitigate supply-chain risk. The report also underscores the significant cost of supply chain attacks, projected to reach nearly $46 billion by the end of 2023 and over $80 billion by 2026.
Board Members’ Concerns and AI:
Approximately 72% of board directors express concerns about personal liability following a cybersecurity incident. As a result, their wish lists include larger cybersecurity and infosec budgets, additional cyber resources, and improved threat intelligence. The emergence of artificial intelligence (AI) has raised apprehensions among board members, with 59% citing generative AI as a security risk. Board members from Japan, Singapore, and Australia are particularly concerned about generative AI.
Future Challenges:
The report also discusses the potential threats posed by AI tools like ChatGPT, noting that while employees may use AI for research or report writing, cybercriminals leverage AI to streamline phishing and vulnerability exploitation. AI enables individuals with limited technical expertise to enhance their cyberattacks.
Healthcare Boards’ Evolving Approach:
In the healthcare sector, boards have historically been criticized for their slow response to cybersecurity threats. However, recent years have seen a shift in their perspective, recognizing cyber risk as an enterprise-wide issue impacting patient safety. Hospital leaders now prioritize cybersecurity, ranking it among their top risks and allocating more resources to bolster their defenses.
CISOs’ Perspective:
CISOs shared their challenges, priorities, and expectations in a survey conducted in early February. They highlighted the pressure on security budgets due to the global recession. The report emphasizes the importance of CISOs advocating for critical controls to protect their organizations.
Closing Remarks:
Ryan Kalember, Executive Vice President of Cybersecurity Strategy at Proofpoint, noted the growing alignment between board members and CISOs regarding cyber risk and preparedness as a positive development. However, he pointed out that despite this closer collaboration, substantial changes in cybersecurity posture have yet to materialize, despite the boards’ investments in time and resources to combat these risks.
