Only 28 percent of US enterprises say CEO and board approves acceptable level of cyber risk

Published: Friday, 18 October 2019 09:03

Ponemon Institute research, evaluating accountability for ensuring the effectiveness and efficiency of security practices, technologies, and controls within enterprises, demonstrates a clear lack of accountability, especially on the board and among C-suite executives.

Ponemon surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organizations’ IT security strategy, tactics, and technology investments. The survey was sponsored by AttackIQ.

“Enterprise culture is formed at the top. If enterprise leaders are not actively engaged in ensuring a strong cyber security posture, it sends the message that cyber security is not a mission critical issue,” said Larry Ponemon, founder and chairman of Ponemon Institute. “The board of directors and C-suite typically come under fire when their organization suffers a data breach or other security incident, and therefore must be involved in enforcing a proactive approach to identifying and remediating security gaps. While most companies have an executive tasked with accurately determining the efficacy of their cyber security strategy, they need to be communicating these findings to senior leaders and the board on a regular basis.”

According to the survey findings, the board of directors and senior leadership are not actively engaged in ensuring the effectiveness of their organization’s security strategy. Key points include:

Most organizations do not take a proactive approach to security and acknowledge that their IT security infrastructure has gaps in coverage, allowing attackers to penetrate defences / defences. They are in need of better monitoring tools that will improve their ability to communicate the effectiveness of their security infrastructure to the board and C-suite:

Most organizations do not have a mature program for measuring their IT security posture, and even among those that do, many do not report these findings to the board. Respondents cited a lack of appropriate monitoring tools that generate adequate and accurate information on IT security posture as a primary reason for failing to report to the board:

More details.