With high-profile attacks like the recent MOVEit cyber-extortion hack, and the rush to support new working practices and environments due to the pandemic, cybersecurity has taken center stage. Where it was once viewed solely as a problem for the CISO or IT team to solve, it is now high on the agenda of most UK boardrooms, according to KPMG.
A recent report by Proofpoint and Cybersecurity at MIT Sloan (CAMS), found that most UK businesses view cybersecurity as a top priority and believe they have a clear understanding of the current threats they face.
While this is good news on the surface, it’s important to dig deeper, and drive acknowledgement of the overarching issue into widespread awareness of specific threats—and the part all employees play in keeping them at bay.
Let’s explore whether a culture of cybersecurity awareness is best served when built from the top down, and take a deeper dive into what happens when, in the modern threat landscape, CISOs and their boardroom colleagues are not always on the same page.
Andrew Rose is a Resident CISO for the EMEA Region at Proofpoint.
The view across the boardroom table
The relationship between the CISO and the wider boardroom has become increasingly cooperative. However, while they may agree on the importance of cybersecurity, with 77% of CEO’s seeing cyber as a strategic function and a potential source of competitive advantage, they do not always see eye-to-eye on all aspects of the challenge. When evaluating the risk, for example, 76% of UK board members still believe that their organization is at risk of a material cyberattack in the next 12 months, compared with just 60% of CISOs.
There is also a disconnect in threat prioritization. While CISOs struggle to prioritize the numerous threats, boards have a much clearer focus, specifically on cyber-enabled financial fraud, and credential theft and misuse. Buy-in and investment for new strategies can suffer when CISOs and other board members are not on the same page. In addition, without clear and agreed strategies and priorities, attempts to build an effective security control stack and a security-aware culture at all levels are destined to fail.
While it is ultimately up to the board to take steps to keep cybersecurity high on the agenda, the CISO also has a responsibility to press the message and bridge any gap. CISOs must deliver concerns, strategies and recommendations in a business-first manner, while avoiding jargon and overly technical language.
Understandably, board members are less interested in threat detection metrics than in how security can protect revenues, reputation and intellectual property. So, by speaking the same language, CISOs can help board members better understand the reasoning behind their suggestions—and protect the organization more effectively as a result.
Awareness is not translating to preparedness
Unfortunately, there is an equally frustrating mismatch when it comes to awareness versus preparedness. While 84% of board members in the UK think they have invested adequately in cybersecurity and 72% believe their data is adequately protected, more than half (58%) still view their organization as unprepared to cope with a cyberattack in the next 12 months.
Also, despite 76% of boards believing that employees understand their role in protecting the enterprise from cyber threats, 72% still feel that human error is their biggest vulnerability. And while awareness of common tactics employed by threat actors is high, and most users are becoming increasingly aware of threats like phishing and malware, many still demonstrate risky behaviors in their daily work.
Addressing this people-centric protection gap requires the board, and CISOs, to employ a more granular level of threat awareness. One way of achieving this is through long-term, targeted security awareness programs aimed at educating employees, and following up with tests to ensure preparedness.
Education must go beyond standardized tests and tick-box exercises. Every user must fully understand how they are likely to encounter threats in the real world and what is expected of them when they do.
But, if businesses are to successfully nurture this kind of security-aware culture, the importance of security must be embraced at all levels, from the board, to the CISO to all employees. A stronger relationship and understanding between cybersecurity teams and other business functions at the top level will cascade down and be reflected throughout the workforce. The clearer the communication in the boardroom, the greater the understanding of cybersecurity companywide – and ultimately, the safer the organization.
