Cybersecurity on the agenda for 80 percent of corporate boards
The survey, conducted jointly by NYSE Governance Services and security vendor Veracode, revealed that more than 80 percent of board members say that cybersecurity is discussed at most or all board meetings.
Specifically, 35 percent said that cybersecurity was discussed at every board meeting and 46 percent said it was discussed at most meetings. Only 10 percent said they discussed cybersecurity after an incident in their industry or at their company -- and only 1 percent said they never discussed cybersecurity at all.
"It's become a really serious issue," said Chris Wysopal, CTO and co-founder at Veracode, a security vendor. "It's not just an IT issue, or a policy issue, or a compliance issue. It's becoming a corporate risk issue."
According to the survey, the board members held the CEO primarily responsible for cybersecurity, with the CIO as the second-most responsible executive.
One example of this is last year's resignation of Target's CEO and CIO after that company's highly-publicized data breach.
This bodes well for corporate security, he said.
"That means you're going to see the security get a larger budget," he said. "But also, more importantly, be an issue that the whole company is going to be charged with solving, not just the IT department or CISO."
However, 66 percent of board members are not confident of their companies' ability to defend themselves against cyberattacks. Only 4 percent said they were "very" confident.
And, despite this lack of confidence, security ranked second to last in priority when it comes to developing new products and services.
"There's obviously a disconnect between the true risk and what's been done to mitigate it," Wysopal said.
Top security concerns
The board members surveyed said that brand damage, data breach costs, and theft of intellectual property were the top concerns when it came to cybersecurity.
However, board members were less interested in specific details of how security was implemented.
Instead, 33 percent preferred to learn about corporate cybersecurity efforts in the form of high-level security strategy descriptions, and 31 percent wanted to learn about risk metrics.
Only 11 percent wanted to see peer comparisons or descriptions of specific security technologies, and only 9 percent wanted to know about the company's audit and compliance status.
Not surprisingly, while technical skills and experience was the top quality boards wanted to see in a CISO, the rest of the qualifications looked for, in descending order, were business acumen, strong communication skills, ability to take risks, and expertise in crisis communications.
This was the first year that Veracode and NYSE Governance Services conducted the survey, so historical comparison data was not available.