While cybersecurity threats were once viewed as a possible but unlikely scenario, a recent report by cyber risk analytics Bay Dynamics suggests that times have changed. Board members are now taking cybersecurity risks very seriously.. In fact, the report found that 26 percent of those surveyed believed cyber risks were their “highest priority.” Cyber risks represented a larger percentage than financial, legal, regulatory or competitive risks. The survey respondents consisted of enterprise executives serving on boards of directors of enterprise companies. “Failing to deliver the cyber risk information that board members want, in a way they understand, will not go unnoticed,” said Ryan Stolte, Chief Technology Officer and Co-Founder of Bay Dynamics. This is supported by another finding in the survey – nearly 60 percent of board members reported that “one or more IT and security executives who fail to provide useful and actionable information in their reports would lose their job.” Additionally, Stolte explains that the mindset change of board members holding IT security executives accountable for cyber risks and cyber-attacks is a critical development that will ultimately get organizations’ cybersecurity threats under control. “It’s hard to move an entire economy, but if we’ve got big boards of big companies that are very engaged and taking it seriously, they’re the ones driving what companies do,” explained Stolte.
Board members have a right to be worried. Eighty five (85) percent of those surveyed believe that IT and security executives must improve the way they communicate with the board through providing “useful, accurate, up-to-date information” that can be better understood by board members. Half of board members believe IT and security executives are too technical when communicating with the board. The report also refers to The Ponemon Institute’s 2015 cost of Data Breach Study, which found that the average total cost of a data breach is $3.8 million. This has forced board members to view cybersecurity as a risk management problem, according to a recent Forbes article. By approaching cybersecurity in this manner, board members can better understand business’ thread models: “what the critical systems used to run the business are, how bad the damage would be if those systems were compromised in various ways and what type of security measures are in place to prevent potential breaches.” In the end, board members will ideally make better investment decisions through analyzing their organizations’ true cyber risk.