Cyber security is definitely on the minds of boards of directors, but the jury is out on just how far that goes.
In a snapshot of what boards and executives are thinking in the UK, Tripwire conducted a survey on the attitudes of executives as they relate to cyber security risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from private and public U.K. organizations.
Despite the increasing number of successful attacks against UK organizations, the study found 54 percent of C-level executives at organizations within the Financial Times Stock Exchange (FTSE) 100 index believe their board is cyber security literate and actively engaged in routine security.
IT professionals from the same organizations are less confident in their board’s cyber security knowledge, with 26 percent stating their boards only step in when there is a serious incident.
While the results of the Tripwire study point to executive confidence, they reveal the uncertainty of IT professionals. When asked if their board was “cyber literate,” almost one-third of IT professionals either answered “no” or “not sure.” However, 84 percent of C-level executives said “yes” to the same question.
“There’s a big difference between cyber security awareness and cyber security literacy,” said Dwayne Melancon, CTO for Tripwire. “If the vast majority of executives and boards were really literate about cyber security risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cyber security are business critical, but it would appear the executives either don’t understand how much they have to learn about cyber security, or they don’t want to admit that they that they don’t fully understand the business impact of these risks.”
Other key findings include:
• 28 percent of IT professionals “don’t have visibility” into what the board is told about cyber security, and 47 percent were “not concerned” about their board’s knowledge of cyber security.
• In the event of a cyberattack, respondents would be most concerned about customer data (62 percent), damage to brand and reputation (50 percent), and financial damage or stock price (40 percent).
• 35 percent of respondents agreed that a security breach at their own organization had the biggest impact on their boards’ cyber security awareness, while other respondents felt that Heartbleed (19 percent) had a bigger impact than the Target or Sony breach and the Snowden leaks (17 percent and 8 percent, respectively)
“Most organizations are not struggling with communication tools,” Melancon said. “They are instead struggling with finding the right vocabulary and information to accurately portray cyber security risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk.”