A new report released this month by MIT Sloan in collaboration with Proofpoint surveyed 600 board members at organizations across 12 countries about their thoughts on cybersecurity preparedness.
While 75% of respondents said that cybersecurity risks and impacts are understood by their boards, the report states that "Just under two-thirds of board members believe that their organization is at risk of a material cyber attack." Board members in the Financial and Manufacturing industries generally believed they were at higher risk than those in other industries.
The report goes on to point out that oftentimes, unsurprisingly, board members and CISOs are "not on the same page when it comes to risk," and that "This difference in perceived threat levels is a significant barrier to the united front that is essential for a successful cybersecurity defense."
When asked what they perceived as the "biggest cybersecurity threats within your organization/industry in the next 12 months," board members responded that E-mail fraud/compromise was the top, with CISOs also agreeing it was important. However, CISOs responded that they thought the biggest threat would come from inside the organizations themselves, whether accidental, negligent, or possibly criminal.
The report goes on to show a glaring issue: 24% of respondents said that their organization does not discuss cybersecurity on a regular basis, about once a month. Digging deeper, it was found that "privately-owned companies are more likely (82%) than publicly owned companies (70%) to discuss cybersecurity matters at least once a month."
It was found that CISO monthly presentations only happen in 73% of organizations, which "may not be enough," according to the report. MIT Sloan and Proofpoint believe that board-level priorities "have a trickledown effect on the entire organization," meaning that if the board makes something a priority, the rest of the organization will take it seriously as well.