Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/30/2015
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

4 Signs Your Board Thinks Security Readiness Is Better Than It Is

Ponemon Institute survey shows a gap in perception between boards of directors and IT executives when it comes to IT risk posture.

While most boards of directors today consider cybersecurity risks a top concern for the companies they help govern, their true awareness of the threats may not be as good as they think, according to recent results of a Ponemon Institute survey that compared directors' perceptions to IT security executives'. The study showed that there's a gap between how well the boards believe their charges are doing with security and the perception by security personnel in the trenches working to protect company assets. Here are some indications from the survey that boards of directors (BoDs) may underestimate the cybersecurity risks facing their organizations.

 

Baseline Knowledge Missing

Even though almost three-quarters of directors report that they're charged with overseeing risk assessments and audits at their companies, they may not have the baseline knowledge necessary to really decipher information and capably lead based on these assessments. The survey showed that only 33 percent of board members consider themselves knowledgeable or very knowledgeable about cybersecurity. It's not surprising, then that while 70 percent of board members say they understand the security risks their organizations face, just 43 percent of IT security personnel believe their boards truly understand the cyber risk landscape.

 

Overconfidence Endemic To Boards

The lack of knowledge allows many directors to maintain somewhat Pollyanna-ish views about their organization's security readiness. Approximately 59 percent of board members rate their cybersecurity governance practices as very effective. At the same time, only 18 percent of security pros also believe this to be true.

"This finding reveals the deep divide in the thinking about what constitutes effective governance practices between board members who are in charge of overall company performance and those responsible for stopping data breaches and cyber attacks," the report said.

 

BoD Not Informed of Incidents

The disparity between breaches that board members know about versus those that IT security staff have knowledge of hints at a troubling lack of communication between the board and infosec pros.  

Over half of IT security professionals reported that their organizations had experienced a breach involving theft of high-value information in the past two years. That's compared with just 23 percent of board members who believed the same. Furthermore, in many cases, board members are unsure if their organizations have experienced security incidents. About one in five directors say they're uncertain if their organization experienced a cyber attack that disrupted business or IT operations in the past few years and 18 percent said they were unsure if it experienced a breach involved high-value information.

 

Directors Don't Ask For Security Measurables

While board members recognize the importance of cyber security—89 percent say they recognize the reputational and marketplace impacet breaches or security failures pose—they're not asking for enough information from security departments. In fact, only 19 percent of boards use any kind of cybersecurity metrics to keep IT accountable for maintaining an acceptable level of risk for the organization.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JohnM465
50%
50%
JohnM465,
User Rank: Apprentice
7/7/2015 | 6:10:54 PM
Comment on the 4 Signs Your Board Thinks Security Readiness Is Better Than It Is
It is not surprising to hear that top management knows little about real security threats and the value of ensuring that you have near to watertight security protocols to protect the future of your corporation. This all stems from the fact that IT governance is not aligned appropriately with corporate strategies. With this gap, there is no way for top management to appreciate the value of providing security to the corporate information. It is also the lack of showing how much the coporation loses due to security breaches. I fail to see a board members underestimating the importance of securing critical information if millions are lost due to security intrusions. A corporate strategy that does not take into account the risk of loss lacks the very fundamentals of appropriate stratgic goal setting and achievement.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2015 | 10:05:06 AM
Need for a CISO
This is precisely why organizations need a CISO. An individual who has a hybrid techincal/policy background to be able to delineate the need for pursing certain security endeavors. They will have a seat at the table and be able to display value in the form of metrics. But to truly have security be appreciated at an organization you need someone at the highest levels where its there number 1 priority so that those initiatives trickle down through the organization and are not pushed to the back burner due to lack of authority.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-5770
PUBLISHED: 2020-08-03
Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.01 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5771
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious backup archive.
CVE-2020-5772
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious package file.