Boards have wider cyber security awareness but still struggle to manage risks
Risk management specialist Focal Point Data Risk, has released its latest Cyber Balance Sheet Report showing that wider awareness of risks -- including third-party data breaches, ransomware and geopolitical conflicts -- spurs more security dialogue in the boardroom.
However, C-Suite and security leaders still struggle to frame risk in productive decision-making terms and keep an eye on whether companies are operating within an acceptable level of risk.
"This year's Cyber Balance Sheet Report dispels the 'cyber is not a boardroom issue' cliché by showing that not only have board members already received the cyber risk message loud and clear, they are actively initiating more discussion about breaches and threats that could upend their organizations," says Andrew Cannata, Focal Point's CISO and national cyber security practice leader. "The more important issue uncovered by the research is that this surge of interest -- while commendable -- seldom resolves executives' two most important questions: 'What is our risk appetite?' and 'Are we operating in or out of this comfort zone?' When these questions are buried or unanswered, it becomes a recipe for miscalculation and false assurances. Helpfully, security teams and business leaders can use the report’s anecdotes and data to revisit how they frame risk management with leadership."
Among the key findings are that many organizations have not formally established a cyber risk appetite -- that is the amount and type of risk they are willing to accept. It is the responsibility of boards and C-Level executives to weigh risk appetite against growth opportunities. Yet, less than half of participants could describe their risk appetite quantitatively, preferring terms like 'very low,' instead.
Security incidents and losses, compliance status and security program maturity are the top three most-reported metrics to the board. Perhaps surprisingly, third-party and supply chain, risk appetite and external threat trends are reported less frequently -- despite their urgency for decision-making and frequency in data breach headlines.
You can find out more in the full report which is available on the Focal Point website.