Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Corporate boards are better at cybersecurity but still need improvement

By Robert R. Ackerman Jr.
board of directors freepik

<a href='https://www.freepik.com/photos/business'>Business photo created by rawpixel.com - www.freepik.com</a>

May 6, 2021

This year, Gartner – the world’s leading IT research company – came out with a prediction that upon inspection says a lot about how the highest level of corporate management views cybersecurity risk. It wasn’t that this has become the second-highest source of risk for the enterprise, and could become the riskiest of all. This sentiment already abounds. Rather, it was that a Gartner survey discovered that 40% of American boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member by 2025.

The number today is less than 10%. So yes, this is progress.

But it really isn’t particularly impressive, and that is the real point. Just look at what is going on. More than 80% of U.S. companies have been successfully hacked, according to Duke University. Only a few months into 2021, cyber breaches have already buffeted the likes of Facebook, Instagram, LinkedIn, Microsoft, U.S. Cellular, Kroger, Hobby Lobby, Cancer Treatment Centers of America, and the California Department of Motor Vehicles.

While a number of useful countermeasures are being taken across the board, progress remains relatively slow in the face of borderline existential threats.

Not so long ago, companies thought of cybersecurity as a technology problem to be overseen by the chief security officer (CSO) or the chief information officer (CIO), or as a compliance issue to be managed with audit functions. Today, thankfully, a more holistic, proactive and analytical approach is generally taken. There is more security training and better hygiene and most boards now count a seasoned chief information security officer (CISO) as one of their directors.

Nonetheless, recent surveys underscore that cybersecurity still isn’t where it needs to be in the boardroom. In its 2020 annual corporate director’s survey, for instance, PricewaterhouseCoopers found that less than a third of nearly 700 respondents said they understood their company’s cyber vulnerabilities particularly well.

In a similar vein, a study by Trend Micro, security software provider, found that only 23% of organizations polled said they aligned security with key business initiatives, typically a priority among corporations with the highest-regarded cybersecurity programs. In addition, 44% of respondents said that their board of directors had only limited involvement in many critical cybersecurity operations, suggesting that many boards are only prepared to fund the minimum amount necessary.

Perhaps corporations can do only so much given the belief that many hacks can be contained but not totally eradicated. The attack surface, after all, is gargantuan. A typical enterprise has a huge and diverse array of assets to be protected, including applications, managed and unmanaged endpoints, and IoTs and cloud services. And each Internet-facing element can be attacked in scores of ways. Then, too, there are an enormous number of weak passwords and almost never-ending software vulnerabilities.

Still, the fight must go on, and this sometimes means that the adoption of seemingly promising measures need to be re-evaluated.

In recent years, for example, we have seen an explosion of cyber-risk measurements, which have their place but may be overrated. What is needed now is not merely statistical scores based on third-party evaluations but more holistic assessments that also embrace technical analysis, governance, company culture and the financial impact of adverse cyber events. All this helps top executives and board members better understand their organization’s exposure to the most serious technological vulnerabilities.

Too often, it is the technical side that gets all the attention. These efforts, usually conducted by CISOs, commonly focus on the number of previous attacks, their impact and how quickly they were addressed. While of value, they are largely backward-looking and plagued by chronic change. Also needed are broader views, such as risk orientation, which is important in many facets of corporate strategy, not just cyber. This helps board directors and executives determine how much to invest in cyber defenses instead of other areas in the business.

Here are other ways that boards of directors can improve the cybersecurity posture of their enterprises:

  • Always remember that organizational communications is essential. The board plays a crucial role here in supporting the executive team. Especially during a breach, there needs to be a single version of the truth so that everybody within and beyond the organization understands how a tense incident is being handled. A cyberattack tends to exacerbate inherent tensions. Establishing trust during a crisis can be extremely difficult when people are unaccustomed to working together.
  • Initiate boardroom conversations that cut through the noise. Insist on details about how the company is decreasing the risk of attack and managing any risks that occur. Remember the business adage: “What gets measured gets managed.” Seek ways to monitor metrics, including the number, nature and extent of vulnerabilities, and then establish benchmarks.
  • Don’t be one of those boards that cannot interpret a jargon-laden cyber report. Insist that management reports to boards in ways that are understandable and provide continuous feedback on cybersecurity effectiveness. Boards need ongoing insight, as well as the basic facts.
  • Work to avoid group-think. Instead, learn to think creatively about cybersecurity by trying to put yourselves in hackers’ shoes, i.e., bad actors trying to make systems fail. Understanding their methods may help you avert the next attack.
  • Along with executives, practice exercises in cyberattack response. Experience in defensive procedures matters.
  • Plan ahead for security incidents. Accept that your company will probably be breached despite your best efforts. Therefore, board members need to keep abreast of their company’s incident response plan, ensuring it’s current and that contingencies exist for extreme scenarios and multiple incidents.

Remember two key principals in big-picture cybersecurity management. One is “kaizen” – the continuous improvement of manufacturing and other business activities. This mindset is imperative in cybersecurity. Also bear in mind that board members should never just leave cybersecurity issues in the hands of the chief information officer. Directors need to lead by managing tensions that crop up and by challenging suppositions. All hands, including the top hands, are needed on deck. 

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

 
KEYWORDS: board of directors corporate culture cyber security information security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Bob ackerman

Robert R. Ackerman Jr. is founder and managing director of AllegisCyber Capital and co-founder of cyber startup foundry DataTribe. He was the first investor to create a venture fund focused exclusively on cybersecurity and data science and has been investing in cybersecurity for more than 15 years in the U.S. and select international markets. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber_lock

    Companies need to enhance cybersecurity amid the continuation of COVID-19 in 2021

    See More
  • cloud-computing-freepik

    Cloud computing is a bonanza – but security lags

    See More
  • Deepfakes freepik

    The cybersecurity reality distortion field: Deepfakes and other manipulated data

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing