“Executives and IT security teams have dramatically improved their ability to communicate cybersecurity risk to boards, but the key is to make cybersecurity actionable before a breach.”The study also surveyed 176 IT professionals outside the board, whom were for the most part (47 percent), “not concerned” about their board’s knowledge of cybersecurity. Of those who expressed concern, 28 percent stated they did not have visibility into what the board is told about cybersecurity; 22 percent claimed the information given to the board is not adequate; while a small number (4 percent) said they are not in active dialogue with c-level executives about infosec issues. Other key findings from the study indicated that the challenges with cybersecurity are ultimately, not associated with having the right tools – an overwhelming 85 percent of respondents stated that their executive team has the tools they need to accurately present cybersecurity risks to the board. “Since respondents believe they have tools and data in place, but breaches continue to grow, this really does appear to be a literacy problem,” said Tripwire’s Tim Erlin, director of IT risk and security strategy. As Melancon further explained, the problem likely comes down to effective communication among IT professionals and C-level executives.
“[Organizations] are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk.”With ongoing high-profile incidents and vulnerabilities serving as a clear reminder, the study shows that decision-makers and IT staff are becoming well aware of how cybersecurity risks can directly impact their organization. “Confidence in communication that moves cybersecurity up the list of business priorities is the objective,” said Melancon. Title image courtesy of Shutterstock.com