Defining a Security-Conscious Boardroom

Cyber security is becoming increasingly important in organisations, but have boardrooms evolved enough to reflect these changes in their risk registers? To gain some insight on this, FireEye commissioned independent technology market research specialist Vanson Bourne to conduct a study in order to better understand security in the boardroom. Based on interviews with 100 Chief Security Officers (CSOs) in the UK, the study explores the security responsibilities of today’s boardroom members and what those responsibilities should be ideally. The results were clear: the CSOs feel changes are needed across the board.

The challenge for many organisations is to reach a consensus of what the ideal boardroom should look like and how each role on the board should be accountable for cyber security. Only then can organisations fully understand the real risks and drive all the right investments to all the right places.

Our study shows that boards still struggle to achieve a full consensus on what the key risks are in their respective organisations. While a majority of the CSOs suggested that their board was often able to reach a degree of agreement on their main security risks, only 30 percent thought their boards would be able to always agree on risk prioritisation. If there isn’t a clear agreement on risk then the organisation will likely be vulnerable to those risks, and it would certainly impact the ability to focus resources and investment in addressing them.

Despite not having a wholesale agreement on the risks, 64 percent of CSOs suggested that their organization’s entire board understands the various impacts of a breach. However, only 32 percent of CSOs felt that their organisation as a whole understands the impacts of a breach – a significant difference.

Meanwhile, who should have the greatest understanding of security in the boardroom? 77 percent of the surveyed CSOs reported that they should have the greatest understanding of security, with the next most common roles being CTO (41 percent) and CEO (39 percent).

Other areas or note explored in the study:

Is the risk register adequately prioritised and managed within the boardroom?

It’s encouraging that more businesses have woken up to the importance of having a risk register that includes cyber security – cyber is included for 99 percent of the organisations that said they have a risk register in place.

Where a CRO (Chief Risk Officer) role was present, it was interesting that only 35 percent of those individuals sat at the board, and only 66 percent were responsible for management of the risk register. Perhaps a concerning result in the study is that more than half (59 percent) of CSOs didn’t think that their CRO had complete cyber security awareness and understanding of the impact of cyber security breaches. This leads us to ponder: while we have cyber on the risk register, is the management of that risk sitting too far from the boardroom with people who don't understand how to adequately manage that risk?

Is the role of the CSO still fit for purpose?

When asked to rate levels of cyber security awareness and understanding that each role has, only 63 percent of CSOs agreed that their role had complete awareness and understanding of the impact of cyber security breaches on the organisation. This can be seen as quite low for a role that is supposed to have expertise in cyber security, especially since respondents were asked which roles should have the greatest understanding of security in the organisation, and 77 percent said the CSO.

If CSOs believe that they should have the greatest level of understanding within an organisation, but only 63 percent think they have complete cyber security awareness and understanding, it seems that there may be a lack of education or skills gap present, or actionable intelligence on the cyber threat needs to flow better within an organisation.

There’s a lack of preparedness for the NIS directive

20 percent of CSOs from enterprise organisations said that they have no incident response plan in place. Planning for cyber security incident response will be vital to organisations subject to the NIS directive, so the fact that one-fifth of organisations don’t have even a basic incident response plan in place shows that there are many steps to be taken to achieve preparedness, both for the directive and for management of cyber security incidents.

If you're reading this as a CISO and wondering how effective your own incident response process is, then you may want to read our advice for achieving the Next Generation of Incident Response capability, or advice on how to test your response with Red Teaming services.

What could the secure boardroom of the future look like?

74 percent of UK CSOs believe changes should be made to the board of their organisation for cyber security to become more integrated. When asked to select the job roles they would like to see on their executive board structure, 85 percent of respondents chose Chief Cyber Risk Officer as a new board level role. It was widely agreed that a core responsibility of that role was to ensure that the CEO has the information needed to provide investors, employees and customers with relevant information in the event of a breach, and for creating a policy for managing cyber risk in that organisation.

Many of the organisations we spoke to feel that cyber security is being talked about at a board level, but perhaps not managed as close to the board as it could be.

What do you think? Does your organisation share a similar view of a need for change? We invite you to review the full results of the research here, and to watch this on demand webinar where Adrian Taylor, FireEye’s Field CTO for EMEA Global Accounts, discusses these findings.