Are boards placing enough importance on cyber security?

Cyber security is becoming one of the most prominent risks affecting organisations across the world. As threats increase in volume and sophistication, businesses must ensure they have adequate measures in place to prevent breaches.

 

However, comprehensive cyber security requires senior management buy-in to be successful. So how involved are company C-suites when it comes to cyber security issues? Are executives taking these risks seriously enough?

Cyber security emphasis grows

A new Bay Dynamics report, conducted by Osterman Research, revealed that cyber security is growing in importance at the board level. The survey highlighted a significant rise in the number of board members who considered cyber security a high priority – from seven per cent in 2014 to 30 per cent today.

 

This figure is only expected to climb even higher over the next two years, with the report predicting 44 per cent of executives will see the issue as a high priority by 2018.

 

According to the research, regulatory requirements are the biggest driving force behind this increased focus, although high-profile data breaches that have recently hit the headlines are also having an impact.

 

Notably, these drivers have become incredibly important over a short period of time. Just two per cent of businesses claimed regulatory obligations were behind cyber security enhancement measures in 2014, while 18 per cent said the same this year. Similarly, two per cent cited high-profile data breaches two years ago, but this climbed to 13 per cent this year.

UK breaches on the rise

The Bay Dynamics report covered US businesses, but statistics from the UK reveal a similar story regarding cyber security fears.

 

PwC’s 2015 Information Security Breaches Survey showed more companies are suffering attacks on their systems, with 90 per cent of large organisations reporting a breach last year, up from 81 per cent the previous year.

 

The cost of security incidents is also soaring, with these firms reporting their worst breach cost between £1.46 million and £3.14 million to resolve. This was substantially higher than the £600,000 and £1.15 million range reported in 2014.

 

Smaller businesses also experience damaging costs, with organisations shelling out £75,000 for each breach at the lower end of the scale, while more serious incidents can cost up to £311,000.

 

Board engagement with cyber security is good in the UK; 82 per cent of businesses said their senior management gave the issue high or very high priority. However, 28 per cent also admitted that the failure of executives to take cyber security seriously was at least partly responsible for their worst breaches.

Finding the right professionals

Having more cyber security experience on boards could help businesses tackle these issues more effectively.

 

The Bay Dynamics survey showed 21 per cent of respondents reported no expertise in this area on their boards. Just one per cent said they had a great deal of expertise.

 

This creates a significant divide between the board and security professionals, with 30 per cent of board members admitting they don’t understand everything their staff are reporting about cyber security issues. More than half (54 per cent) agreed or strongly agreed the information they received was too technical.

 

Hiring security professionals with the right interpersonal skills can dramatically improve communication between the IT and business departments. People with the ability to deliver complex information regarding cyber security risks in a straightforward manner to senior executives without technical experience are key to ensuring everyone is on the same page.

 

That said, a recent report from Intel Security revealed that 82 per cent of organisations polled in a global survey said they suffered a cyber security skills shortage. More than seven in ten claimed this lack of talent caused direct and measurable damage to their business.

Building cyber security measures

The Intel Security survey echoes Barclay Simpson research conducted earlier this year. Our report found 68 per cent of managers believed their security departments were under-resourced.

 

More than half said good-quality security professionals are difficult to find, with information and cyber security teams struggling in particular. Both interpersonal and technical skills are sought after, although the latter are slightly more in demand.

 

Nevertheless, boards may need to ramp up efforts to identify and attract the best candidates to positions at their firms if they want to prevent serious breaches that could cause financial and reputational damage.

 

Cyber security is clearly becoming a more important issue with the C-suite, but tackling these problems will require senior management buy-in and skilled professionals. Businesses that are missing either of these elements may struggle to build a comprehensive strategy to stop imminent risks.

 

Our 2016 Compensation and Market Trends Report combines our review of the prevailing conditions in the security & resilience recruitment market together with the results of our latest employer survey.

 

Image: kutubQ via iStock