Business leaders still disconnected from cyber risks

security disconnect DXC Blogs

While it’s long been said that to successfully manage the risks in enterprise security, business leadership — executives, the CEO, up to the board of directors — needs to be engaged with security teams, it’s still not happening.

A recent survey from the National Association of Corporate Directors (NACD) found that, while boards want to understand cybersecurity risks, a majority find it challenging to maintain proper oversight.

In fact, 59% of those surveyed report that overseeing cyber risks is challenging, while 19% say their boards have a high level of cybersecurity understanding. Thirty-seven percent of respondents say they are confident (5% very confident) in their security posture, according to the 2016–2017 NACD Public Company Governance Survey.

“Directors continue to wrestle with effective oversight of cyber risk. Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge of this growing risk,” the NACD said. “Many of their boards may lack sufficient expertise or adequate information to confidently assure that cybersecurity defenses are indeed effective.”

While not detailed in the executive summary (not all of the report was made publicly available), one reason for the disconnect is that, to this day, many CISOs — too many, in fact — don’t do a good enough job of communicating the business impact of cyber risks.

While cyber security risks are a big concern, they aren’t the primary concern, according to the report. Currently, economic uncertainty and business-model disruption top the list.

“Global economic uncertainty was selected by 60 percent of respondents as one of the five trends that will have the great­est impact on their companies over the next 12 months, most likely in light of ongoing economic turbulence that includes the fallout from Brexit, emerging markets volatility, and the protectionist trade stance of the new U.S. administration,” the NACD said.

But directors are getting more serious when it comes to risk oversight, generally. Many boards are looking for more information about risks in the months ahead and are increasingly interested in understanding potential links between risk and strategy and how incentives impact culture and risk.

“Many boards now receive frequent reports on key components of risk management, including summaries of top risks, emerging risks, and their mitigation. According to our survey, 63 percent of them perform in-depth reviews of specific top risks. Perhaps in response to the recent corporate debacles in the auto industry and banking sector, more than 57 percent of boards now assess whether incentives used in the company’s compensation structure could inadvertently create or exacerbate risks,” the report notes.

When it comes to conquering cyber risk management, CISOs need to get better at showing how their efforts mitigate risks and help improve business performance. And they need to do so in ways that resonate with business leadership, and not just security technologists.


What’s ahead for security and cloud adoption?

Clouds cast long security shadow over enterprise IT

Cloud spend outpacing traditional IT, spurring security investments


  1. […] Business leaders still disconnected from cyber risks […]

  2. […] Business leaders still disconnected from cyber risks […]

  3. […] Business leaders still disconnected from cyber risks […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.