Only 28 percent of US enterprises say CEO and board approves acceptable level of cyber risk
- Published: Friday, 18 October 2019 09:03
Ponemon Institute research, evaluating accountability for ensuring the effectiveness and efficiency of security practices, technologies, and controls within enterprises, demonstrates a clear lack of accountability, especially on the board and among C-suite executives.
Ponemon surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organizations’ IT security strategy, tactics, and technology investments. The survey was sponsored by AttackIQ.
“Enterprise culture is formed at the top. If enterprise leaders are not actively engaged in ensuring a strong cyber security posture, it sends the message that cyber security is not a mission critical issue,” said Larry Ponemon, founder and chairman of Ponemon Institute. “The board of directors and C-suite typically come under fire when their organization suffers a data breach or other security incident, and therefore must be involved in enforcing a proactive approach to identifying and remediating security gaps. While most companies have an executive tasked with accurately determining the efficacy of their cyber security strategy, they need to be communicating these findings to senior leaders and the board on a regular basis.”
According to the survey findings, the board of directors and senior leadership are not actively engaged in ensuring the effectiveness of their organization’s security strategy. Key points include:
- Only 28 percent of respondents say the board and CEO determines and/or approves the acceptable level of cyber risk for the organization;
- 63 percent of survey respondents say their IT security leadership does not report to the board on a regular basis, and 40 percent say they don’t report to the board at all;
- 14 percent of respondents say their IT security leadership only reports to the board following a security incident;
- Only 21 percent of respondents say their board and CEO require cyber security due diligence in a merger and acquisition process, a critical step to minimizing the potential risk.
Most organizations do not take a proactive approach to security and acknowledge that their IT security infrastructure has gaps in coverage, allowing attackers to penetrate defences / defences. They are in need of better monitoring tools that will improve their ability to communicate the effectiveness of their security infrastructure to the board and C-suite:
- 69 percent of respondents say their organization’s security approach is reactive and incident driven;
- 63 percent of respondents say their IT security leadership needs better monitoring tools to improve their ability to communicate the effectiveness of security infrastructure and potential gaps to the C-suite and board;
- 56 percent of respondents say their IT security infrastructure has gaps in coverage that allow attackers to penetrate its defences.
Most organizations do not have a mature program for measuring their IT security posture, and even among those that do, many do not report these findings to the board. Respondents cited a lack of appropriate monitoring tools that generate adequate and accurate information on IT security posture as a primary reason for failing to report to the board:
- Only 24 percent of respondents say they have a mature measurement and metrics program, and 30 percent say they have a partial metrics program;
- 40 percent of respondents say they do not quantify and track the company’s IT security posture at all;
- Of the respondents who have either a mature or partial measurement program, only 39 percent report the findings to the board.