Board Security Knowledge Questioned

Friday, September 25, 2015 @ 02:09 PM gHale

Boards of directors getting involved in security is becoming a stronger trend these days, but the next question after the board gets involved is do they understand what the issue is all about?

In the United States, IT professionals are far less confident in board level cyber security literacy than their UK counterparts, according to a report by security firm Tripwire.

Security Differences by Industry
Strategy Shift: Security by Design
DDoS Attacks: Small, but Repeated
DDoS Attack as a Diversion

“Cyber security is definitely a boardroom issue, and I’m encouraged that more organizations are engaging on this topic,” said Dwayne Melancon, chief technology officer for Tripwire. “However, engaging and doing so effectively are two different things.”

Key findings of the report show:
• IT professionals in the U.K. (71 percent) were more likely to consider their corporate board to be cyber security literate than their U.S. counterparts (57 percent).
• 71 percent of the U.K. respondents said their company’s corporate board had a member responsible for cyber security, while half (50 percent) of U.S. IT professionals said this was true for their organization.
• Nearly one third (32 percent) of U.S. respondents believed the information presented to the board did not accurately represent the urgency and intensity of the cyber threats targeting their organization. Only 13 percent of U.K. IT professionals answered similarly.

When asked which major security event had the biggest impact on their board’s cyber security awareness, 34 percent of U.K. respondents said an internal security breach at their organization. However, 74 percent of U.S. respondents said high-profile external breaches, such as Sony Pictures, Target and the Snowden leaks, had the most impact.

“From my experience, I believe some of the respondents may be overly optimistic about the cyber security literacy of their boards, which could be a challenge,” Melancon said. “Fortunately, a good number of organizations recognize that their current approach to depicting cyber security status falls short of their goal of creating an appropriate sense of urgency within their executive ranks.”

Click here for a graphical interpretation of the report.