While cybersecurity is dominant on boardroom agendas, there seems to be a disconnect between board members and their CISOs.
According to The Cybersecurity: The 2022 Board Perspective report – a Proofpoint and Cybersecurity at MIT Sloan (CAMS) collaboration, globally 69% of board members and 51% of CISOs agree that they see eye-to-eye with each other.
In Singapore however, that number is significantly lower compared to the other 11 countries surveyed – ranking 10 out of 12 for the number of board members that feel aligned to CISOs, while just 44% of CISOs feel aligned with their board.
This disconnect likely contributes to weakened defences against cyberattacks – despite 78% of board members in Singapore thinking they have invested adequately in cybersecurity; these efforts appear insufficient with 6 in 10 still believing their organisation is unprepared to cope with a cyberattack in the next 12 months.
Misalignment between Boards and CISOs
One of the ways boards and CISOs are misaligned is reflected in what they perceive as the biggest cybersecurity threat to their organisations. Only 56% of Singaporean board members believe human error is their biggest cyber vulnerability, despite the World Economic Forum finding that human error leads to 95% of all cybersecurity incidents.
Additionally, the report found only 56% of Singaporean board members believe human error is their biggest cyber vulnerability, despite World Economic Forum findings that the number is 95%. Board members also seem to dismiss insider threats when this is top on the CISOs’ minds.
“Lower barriers to entry for cyber threat actors, more aggressive attack methods, a dearth of cybersecurity professionals and patchwork governance mechanisms are all aggravating the risk.”
The Global Risk Report 2022, World Economic Forum
Additionally, while board members globally are most concerned with business email compromise (41%), insider threats rank second last (28%) on their minds. This contrasts with global CISOs concerns, who believe insider threats — whether malicious, accidental, or negligent — are the most important (31%).
And CISOs are right to be concerned. According to Proofpoint’s 2022 Cost of the Insider report released earlier this year, insider threats are one of the most prominent vulnerabilities, having increased 44% in the past two years.
More than half of these incidents (56%) experienced by organisations represented in this research were due to negligence, and the average annual cost to remediate the incident was US$6.6 million.
“It is encouraging to see that cybersecurity is finally a focus of conversations across boardrooms. However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organisations for material cyberattacks,” said Lucia Milică, vice president and global resident CISO at Proofpoint.
“One of the ways boards can boost preparedness is by getting on the same page with their CISOs. The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organisational success.”
Lucia Milică
Consequences of disconnect
A disconnect in the board-CISO relationship could contribute to weakened defences against cyberattacks.
While 78% of board members in Singapore think they have invested adequately in cybersecurity, 70% discuss cybersecurity at least monthly, and 68% feel their board understands their organisation’s systemic risk – these efforts appear insufficient with 62% still viewing their organisation as unprepared to cope with a cyberattack in the next 12 months.
“Board members play a key role in their organisations’ cybersecurity culture and cybersecurity posture. Board members have fiduciary and oversight responsibility for their organisations; therefore, they must understand the cybersecurity threats their organisations face and the strategy their organisations take to be cyber resilient,” said Dr Keri Pearlson, executive director at Cybersecurity at MIT Sloan (CAMS).
“Board members need to look for ways to make CISOs their strategic partners. With cybersecurity risk front and centre on boardroom agendas, a better alignment of CISOs’ and boards’ cybersecurity priorities will only serve to improve their organisations’ protection and resilience.”
Keri Pearlson
