The boards of directors of public companies are increasingly making cyber-security a priority at their meetings, according to a study done in partnership between security company Veracode and the NYSE Governance Services.
More than 80 percent of the nearly 200 directors of public companies surveyed said that cyber-security was discussed at nearly every board meeting. Some 78 percent of these respondents serve on from one to three executive boards.
The increased discussions about cyber-security are likely coming about as a result of the December 2013 Target breach in which Target’s board felt pressure to fire the CIO and CEO.
“I think a lot of other boards said, ‘We better do some inspection on our cyber-security program because we don’t want to be in the same situation,'” says Chris Wysopal, Veracode co-founder and chief information security officer (CISO). “I talked to a CISO who was told that at the next board meeting, he needed to do a two-hour update on their security program. Boards are feeling that they need to take some responsibility.”
Overall, the study shows that 66 percent of respondents did not have confidence that their companies were properly secured against cyber-attacks. These board members listed their top three security concerns as brand damage, breach costs and a lost competitive advantage.
Surprisingly, security was a second-to-last concern by board members when it came to introducing new products to the market. Although this is a disconnect, education is helping them understand that putting vulnerable products into the market is what’s leading to security problems in the first place, Wysopal points out.
“We’re helping them connect the dots, to see that breaches come down to vulnerabilities in products,” he explains. “If you’re not taking that into account, you’re not solving the root cause of the problems.”
Supply Chain Concerns
The study also shows that 70 percent of respondents have high-level concerns about the risks presented by third-party software in their supply chains. Many companies are now going outside their organizations for products, services or software-as-a-service (SaaS)-based-solutions—particularly as they use more and more technology to grow their business, Wysopal says.
Companies are also realizing that attacks are occurring through break-ins at their suppliers. “There is awareness that attackers are finding a quicker way into an organization than attacking them directly,” he says.
Wysopal says one of the reasons for conducting the survey was that CISOs are now on the hot seat and are expected to provide organization-wide security. This may vary from training employees in phishing, finding out what lines of business are being secured and seeing how developers are building code.
“The study data is helping CISOs understand how to navigate their role, which is of growing importance,” he says.
The study offered CISOs several suggestions. When talking to boards, they should use metrics to present cyber-security information. They also should provide benchmark risks about how their organization compares to others. In addition, CISOs should use language that’s free of acronyms and should present information at a strategic level.
Finally, the survey also reveals that boards are willing to hold the CEO and the entire senior management team responsible for security breaches. “The board is thinking of cyber-security as an organization-wide problem,” Wysopal says. “It’s not just the CISO’s problem.”