Boards still in the dark about cyber defence

The ‘Boardroom Cyber Watch 2014’, conducted by IT Governance, also shows that 32.5 per cent of businesses say their boards receive no regular reports on how their organisation is developing and implementing its cyber defence strategy.

Nevertheless, there are signs of progress. While 38 per cent of respondents receiving a board report on cyber defences say this information is provided only annually or less than annually, the other 62 per cent receive this at least monthly. This is up from 48 per cent in last year’s study.

The survey also suggests that the quality of cyber-security reporting to the board is an area requiring improvement. Some 21 per cent of respondents believe that their company’s board reports fail to provide the information necessary to take decisions, with another 28 per cent unsure if adequate information is provided.

An additional area of concern is the quality of communication between the IT function and the board. In fact, 29 per cent believe that fear of retribution could be discouraging the IT department from fully disclosing details of cyber breaches to top management.

Alan Calder, Founder and Executive Chairman of IT Governance, says: “The lack of boardroom insight into cyber threats may partly explain the reluctance of some companies to give up outdated security goals. This situation is underlined by the fact that 38 per cent of respondents still say their objective is to prevent all cyber-attacks, an aspiration which will strike many information security professionals as unrealistic or even naive.

“While organisations need to defend themselves against potential attack, they must also accept that some attacks will inevitably succeed. Therefore, an organisation’s cyber resilience is now the critical survival factor – its ability to recover quickly once an attack has taken place. Ultimately, organisations seeking to implement effective cyber resilience need to utilise the best practice approaches offered by international cyber security and business continuity standards, coupled with staff training and other tools.”

Share this story

Close
Menu
Send this to a friend