For decades now the relationships between CISOs and their top executives have been a matter of touch and go. In the early 2000s, following 9/11 and a number of high profile worms such as Code Red and Nimda, cybersecurity jumped from a marginal, often ignored, topic to front and center in the boardroom.
However, as weeks and months went by, interest and the urgency around cybersecurity waned. It was ignited again in 2003, as more enterprises geared themselves toward becoming Sarbanes-Oxley compliant.
Since that time, interest in cybersecurity from top executives and the board has cycled up and down several times: a wave of high-profile attacks would make headlines, and boards of director interest in cybersecurity would perk, only to have interest fade once again as things settled down again.
Fortunately, this may be changing now as the amount of attention boards of directors are paying to cybersecurity is high and possibly growing. The reason is that now, because cyberattacks have remained high and there is a steady drumbeat of data breaches, cybersecurity should be on the top of the business priority list for some time to come.
Consider CSO’s recent 2015 U.S. State of Cybercrime Survey that found only one in four CISOs or CSOs make a security presentation to their board annually, while 30 percent of respondents in that survey said that their security executives make quarterly security presentations. That comes to roughly 55 percent of respondents who provided a presentation to their board once a year or more, while 28 percent of respondents said their security leaders never make presentations to their boards. Not surprisingly, the larger the company, the more likely it is to have board cybersecurity involvement while only 18 percent of small companies say their security leaders advise their board on security, 33 percent of large organizations do.
When it came to board and cybersecurity involvement, such involvement in the U.S. came in stronger than it is internationally. The Global State of Information Security Survey (GSISS) 2016 found that board involvement globally dropped to 45 percent of organizations. However, that’s a significant increase from last year’s GSISS survey, which found that boards participated in security budget (46 percent compared to 40 percent in 2015), overall security strategy (45 percent compared to 42 percent), security policies (41 percent compared to 36 percent) and security technologies (32 percent compared to 25 percent).
“Cyber security has gone from a Main Street and public perception and Wall Street and financial impact issue to a board room priority with C-level career risk,” says Doug Dooley, a board member of security analytics and forensics vendor Niara’s and venture capitalist at Venrock. “Every board member needs to have a point of view on handling cyber risks and threats to its business."