by Marc Wilczek

Why corporate boards put their digital transformation at risk

Nov 07, 2019
CIOCSO and CISOIT Leadership

Despite increasing cybercrime and dependency on digital revenues, many CEOs operate in the dark. A stunning 63 percent of CISOs donu2019t regularly report to their board, research by Ponemon Institute finds.

A group of business leaders / board members with questions.
Credit: FangXiaNuo / Melpomenem / Getty Images

Security breaches always seem to be in the news, but only a handful of organizations are protecting themselves against these threats by actively reducing their cyber-risk exposure. Research by the Ponemon Institute revealed that 63 percent of CISOs don’t regularly report to their organization’s board of directors, and 40 percent don’t report to the boardroom at all. Most enterprises still take a reactive approach to cyber-security—that is, they deal with incidents only as they arise, rather than planning in advance—which makes them a lot more vulnerable to cybercrime and puts their digital transformation strategy at risk.

Whether they occur through ransomware, data theft, or DDoS attacks, security incidents can cause a world of trouble—expensive, reputation-shattering trouble—for any organization, large or small.

Lack of board involvement and accountability

Although today’s companies depend more and more on having their IT systems always up and running, C-Suite executives and board members persist in their reactive approach to cyber-risk strategy. With four in ten CISOs not reporting to the board, the research findings suggest a widespread shortage of accountability. Although cybercrime is skyrocketing and becoming more expensive to counter, just 14 percent of that group report to the board only after a security breach—typically when it’s too late.

But even when corporate directors are kept abreast of the pressing cyber-security matters their companies face, many tend not to act. Almost one-third of CISOs in the Ponemon survey said their board of directors or CEO determines or approves an acceptable level of cyber-risk for the company, and only 21 percent said their board or CEO asks for cyber-security due diligence during mergers and acquisitions. Of course, with every new M&A deal, the company potentially exposes itself to even more cyber-liabilities that might result in a boatload of regulatory and legal fines if a security breach surfaces. As an example, take an innovative startup that gets acquired by a larger enterprise: The GDPR, for instance, bases fines on the firm’s total revenue, which is typically significantly greater than that of the newly acquired and integrated entity.

Overall, the survey results show that C-Suite executives and board members aren’t assuming enough responsibility for cyber-risk within the company. Consequently, cyber-risks are being trivialized and delegated, while corporate officers are oblivious to what’s going on and how endangered critical corporate data, infrastructure, and other digital assets might be. The message this lax attitude sends to the public is not a positive one.

Prevention instead of reaction to cyber-risk

Rather than doing regular monitoring and analysis, for the most part organizations are hoping for the best and then reacting to incidents only after they occur. For instance, just under 70 percent of CISOs said this was how their organization dealt with cyber-security, and 63 percent claimed they could use better monitoring tools. In other words, it’s not just that companies are taking a lax approach to cyber-security; many of them are also more or less in the dark about the very real threats they’re up against. Over half of the survey respondents admitted that their IT security apparatus had holes in coverage or other shortcomings that made them sitting ducks for cybercriminals.

In fact, a mere 24 percent of respondents described their measurement and metrics program as “mature”, while 30 percent said it was “partial”. It seems that the rest had a mishmash of programs. Furthermore, a whopping 40 percent of CISOs admitted that they don’t quantify or monitor their cyber-risk posture, and just 39 percent of the ones that do bring their findings to their boards of directors.

Given the sheer volume of data and the business demand for opening up infrastructures to allow interlinking of value chains and supply chains, keeping track of cyber-threats is getting a lot tougher. However, when it comes to cyber-attacks, the speed of mitigation is of the essence in order to minimize damages. Paired with the huge shortage of cyber expertise, it is an illusion that throwing people at the issue is going to work. Moreover, human error is still one of the major reasons why IT service chains fail. To ensure an instant response to threats and alarms, organizations must count on automation and machine learning instead.

New corporate mindset needed

Many organizations have upgraded their IT infrastructure and invested in new technologies, apps, and digital platforms. At the same time, organization, processes and governance models are archaic and can’t keep up. Nearly half of the organizations don’t measure or track their cyber risk, and of those that do, not many let the board of directors know what they’ve discovered.

While this approach might have worked in the analog world, in the digital era, it leads to an unnecessary increase in risks and is simply no longer adequate. Inevitably, digital business is associated with new risks, because revenue, profit and reputation increasingly depend on resilient IT operations. Consequently, the CISO function deserves more airtime in the boardroom. It would simply be negligent to ignore this or delegate it away.

What is needed is a paradigm shift—a new corporate mindset that values and respects cyber resilience and comprehends the integrity and availability of IT services and data as differentiating factors in the digital economy. But the only way to make this work, says Ponemon, is if corporate boards prioritize it.

“Enterprise culture is formed at the top. If enterprise leaders are not actively engaged in ensuring a strong cyber-security posture, it sends the message that cyber-security is not a mission-critical issue,” says Larry Ponemon, founder and chairman of Ponemon Institute. “The board of directors and C-suite typically come under fire when their organization suffers a data breach or other security incident, and therefore must be involved in enforcing a proactive approach to identifying and remediating security gaps. While most companies have an executive tasked with accurately determining the efficacy of their cyber-security strategy, they need to be communicating these findings to senior leaders and the board on a regular basis.”