The importance of cyber security is being increasingly recognised at the highest levels of many organisations, with a new survey revealing the topic is frequently on the agenda in the boardroom.
Research by Veracode and NYSE Governance Services revealed more than four out of five directors at public companies reported that cyber security is discussed at most or all board meetings.
The study observed that pressure has been mounting on board-level employees to take a more active role in their firms' cyber security efforts following multiple high-level breaches that have led to C-level changes. One result of this is that board members are now being tasked to personally oversee cyber security as a key risk area.
However, the survey also revealed two-thirds of directors admit they are not fully confident their organisations are safe from cyber attacks. While cyber security now ranks highly on the C-level's agenda, board members ranked it second to last in priority when developing new products and services, behind concerns such as competitive differentiation, revenue potential and development costs.
This environment has created a need for chief information security officers (CISOs) to better understand board member perceptions and become more effective at communicating their cyber security strategies in the boardroom.
Chris Wysopal, co-founder and CISO at Veracode, said security professionals must leverage the momentum created by this increased focus on cyber threats to build a consensus around what it will take to reduce risk.
"There will be bumps in the road for everyone involved, especially now that the board is becoming an active participant in what was once a deeply technical domain," he said. "This requires CISOs to expand their skillset and get comfortable describing cyber risk relative to other business priorities and board-level concerns."
The survey noted that a strong understanding of the technical threats is no longer enough for these professionals, as in addition to technology skills and experience, respondents listed business acumen and strong communication skills as the top three qualities that strong CISOs should possess.
It therefore highlighted several key findings that could be of use to CISOs when they are presenting to the board.
For instance, it revealed brand damage, breach cleanup costs and theft of corporate intellectual property leading to loss of competitive advantage are the top three cyber security worries for directors.
Therefore, security professionals need to be able to spell out how the right tools can help prevent these issues in order to get executive buy-in to their efforts.
Meanwhile, more than 70 percent of respondents reported having significant concerns about the risk posed by third-party software in their supply chains, so CISOs will also have to detail how these issues are being addressed.
Professionals should also stress the importance of shared accountability when it comes to cyber security. Board members stated that are likely to hold the chief executive ultimately responsible in the event of a breach, which signals a shift away from the onus placed placed solely on the IT department.
Investing in the right cyber security tools plays a central part in reassuring board members about a firm's defences. Innovations from Encode, supported by IBM QRadar, can help give C-level personnel the peace of mind they need that their company is as well-protected as possible.