Cyberattacks and data breaches are becoming staple news stories because of the large number of incidents. The frequency and seriousness of the attacks are becoming increasingly costly to counterattack. Despite the repeated stories of cyber theft, data breaches and reputational loss, companies are still largely taking a reactive approach to cybersecurity. Companies are investing more time, money and energy on response plans than on being preventative and proactive. The slow response makes many companies vulnerable to cyberattacks, and digital transformation risk can throw their strategies way off track.
In a survey of the Conference Board, more than 70% of the 740 CEOs polled stated that they planned to increase their budgets for cybersecurity in 2020. That seems to be a high percentage, considering that nearly 40% of the responding CEOs indicated that their companies didn't have identifiable plans to mitigate the financial or reputational fallout if they were to become victimized by cybercrime.
Another trend that makes companies vulnerable to cybercrime is that chief information security officers (CISOs) don't inform or update their boards on issues like cyber risk, cyberattacks and cybersecurity. A study by the Ponemon Institute showed that 63% of CISOs don't report to their board of directors on a regular basis. Moreover, about 40% of board directors don't report to the board at all.
Regardless of the form of the attack, whether it's data theft, ransomware, a security incident or a distributed denial of service (DDoS) attack, cybercrime is a worrisome, expensive problem that can affect the reputation of companies large or small.
The lack of attention to cybersecurity issues is largely due to the lack of accountability of the board and senior executives. The Ponemon survey indicated that four out of every 10 CISOs never report to their boards of directors at all. What is more concerning is that only 14% of CISOs make a report to their boards after a security breach. Even when boards do get informed, large numbers of them fail to take any remedial action.
Other parts of the survey indicated that almost a third of the respondents said that their board or CEO makes the determination or approves an acceptable level of cyber risk for the company.
Only 21% of those who took the survey stated that their board or CEO asks for cybersecurity due diligence during a merger or acquisition transaction. Without doing due diligence around cybersecurity, every new merger or acquisition may manifest in a pile of regulatory fees and legal fines if a security breach surfaces shortly afterwards. Overall, the survey clearly showed that C-suites and boards of directors aren't currently assuming the necessary responsibility for cyber risk.
The fallout from a cyberattack can be severe. Many boards are still taking an approach to cyber risk that either trivializes it or delegates the problem to someone else. Essentially, corporate leaders aren't merely turning a blind eye to what's going on in the cyber world. The failure to take cybersecurity seriously means that your corporation's data is at a strong risk of becoming endangered. In addition, your company's reputation is extremely important. By properly addressing cybersecurity, the board and executives are sending a strong message to the public that the company's reputation is worthy of protecting.
Just over 50% of the survey respondents said that their IT security systems had gaps in coverage or other weaknesses that left them feeling like a sitting duck for cybercrime. In essence, many CISOs felt inadequate to face the cyber threats that they know are looming out there. By putting their systems on a scale, only 245 of the respondents described their analysis programs as mature and 30% felt their programs were partially mature. The remainder of the respondents had cobbled together various types off security and monitoring systems. What is more concerning is that 40% of CISOs reported that they don't monitor their risk position or quantify it. Only 39% of CISOs who do monitor their systems bring their findings to their boards of directors, which leaves board directors in the dark as well.
In addition, the world is more connected than ever. Consider how many other programs you can log into just by using a Facebook account. This is a great convenience for consumers; however, it requires opening up infrastructures to allow systems to connect. It's difficult to assess the various ways systems connect with each other and how it opens those systems to risk.
Other issues include the general lack of cyber expertise within the workforce, which makes it difficult to add people to the IT department, and human error.
Much of the digital transformation that needs to occur is related to the corporate mindset. Starting at the top, companies need to respect cyber resilience, understand the integrity and availability of IT services and data, and how they can make a difference in cyber protection. Corporate leaders need to make sure the organization, processes and governance models keep up with the IT infrastructure, new technologies, apps and digital platforms. CISOs need to track cyber risk issues and spend more time in the boardroom keeping the board informed. In addition, CISOs must be able to associate digital business with new risks. Revenue streams, profit margins and the company's reputation all depend on resilient IT operations.
In this day and age, it's necessary for boards to prioritize digital transformation risk. One way they can do that is to form a cyber risk culture at the top starting with their own systems. A board management software system and other tools by Diligent Corporation keep board communications safe by containing them within a highly secure platform that was designed with the needs of boards of directors in mind.
In a survey of the Conference Board, more than 70% of the 740 CEOs polled stated that they planned to increase their budgets for cybersecurity in 2020. That seems to be a high percentage, considering that nearly 40% of the responding CEOs indicated that their companies didn't have identifiable plans to mitigate the financial or reputational fallout if they were to become victimized by cybercrime.
Another trend that makes companies vulnerable to cybercrime is that chief information security officers (CISOs) don't inform or update their boards on issues like cyber risk, cyberattacks and cybersecurity. A study by the Ponemon Institute showed that 63% of CISOs don't report to their board of directors on a regular basis. Moreover, about 40% of board directors don't report to the board at all.
Regardless of the form of the attack, whether it's data theft, ransomware, a security incident or a distributed denial of service (DDoS) attack, cybercrime is a worrisome, expensive problem that can affect the reputation of companies large or small.
Accountability Lacking in Cybersecurity at Board Level
The rapid pace of business demands that companies take precautions to keep their IT systems up and running. Yet, even with the threat of a system shutdown, too many companies are failing to tackle the cybersecurity issue head-on, choosing to be complacent, rather than proactive.The lack of attention to cybersecurity issues is largely due to the lack of accountability of the board and senior executives. The Ponemon survey indicated that four out of every 10 CISOs never report to their boards of directors at all. What is more concerning is that only 14% of CISOs make a report to their boards after a security breach. Even when boards do get informed, large numbers of them fail to take any remedial action.
Other parts of the survey indicated that almost a third of the respondents said that their board or CEO makes the determination or approves an acceptable level of cyber risk for the company.
Only 21% of those who took the survey stated that their board or CEO asks for cybersecurity due diligence during a merger or acquisition transaction. Without doing due diligence around cybersecurity, every new merger or acquisition may manifest in a pile of regulatory fees and legal fines if a security breach surfaces shortly afterwards. Overall, the survey clearly showed that C-suites and boards of directors aren't currently assuming the necessary responsibility for cyber risk.
The fallout from a cyberattack can be severe. Many boards are still taking an approach to cyber risk that either trivializes it or delegates the problem to someone else. Essentially, corporate leaders aren't merely turning a blind eye to what's going on in the cyber world. The failure to take cybersecurity seriously means that your corporation's data is at a strong risk of becoming endangered. In addition, your company's reputation is extremely important. By properly addressing cybersecurity, the board and executives are sending a strong message to the public that the company's reputation is worthy of protecting.
Focusing on Preventing Cyber Risk
To prevent digital transformation risk, companies will need to make a commitment to doing more monitoring and analysis. Nearly 70% of CISOs said that their companies merely take a reactionary approach to cyber risk. Around 63% of CISOs stated that they needed better tools to monitor their systems.Just over 50% of the survey respondents said that their IT security systems had gaps in coverage or other weaknesses that left them feeling like a sitting duck for cybercrime. In essence, many CISOs felt inadequate to face the cyber threats that they know are looming out there. By putting their systems on a scale, only 245 of the respondents described their analysis programs as mature and 30% felt their programs were partially mature. The remainder of the respondents had cobbled together various types off security and monitoring systems. What is more concerning is that 40% of CISOs reported that they don't monitor their risk position or quantify it. Only 39% of CISOs who do monitor their systems bring their findings to their boards of directors, which leaves board directors in the dark as well.
Challenges in Increasing Cybersecurity
While it's true that CISOs and companies could be doing more to protect their companies, they face formidable challenges. The sheer volume of data that crosses the internet makes it difficult to monitor cyber threats.In addition, the world is more connected than ever. Consider how many other programs you can log into just by using a Facebook account. This is a great convenience for consumers; however, it requires opening up infrastructures to allow systems to connect. It's difficult to assess the various ways systems connect with each other and how it opens those systems to risk.
Other issues include the general lack of cyber expertise within the workforce, which makes it difficult to add people to the IT department, and human error.
What Steps Can Companies Take to Prevent Digital Transformation Risk?
Automation and machine learning are two of the digital strategies that companies will rely on more heavily moving into the future. It's important to monitor and protect these processes.Much of the digital transformation that needs to occur is related to the corporate mindset. Starting at the top, companies need to respect cyber resilience, understand the integrity and availability of IT services and data, and how they can make a difference in cyber protection. Corporate leaders need to make sure the organization, processes and governance models keep up with the IT infrastructure, new technologies, apps and digital platforms. CISOs need to track cyber risk issues and spend more time in the boardroom keeping the board informed. In addition, CISOs must be able to associate digital business with new risks. Revenue streams, profit margins and the company's reputation all depend on resilient IT operations.
In this day and age, it's necessary for boards to prioritize digital transformation risk. One way they can do that is to form a cyber risk culture at the top starting with their own systems. A board management software system and other tools by Diligent Corporation keep board communications safe by containing them within a highly secure platform that was designed with the needs of boards of directors in mind.