The Boardroom Gap: How to Close the Gap Between Board Priorities and Actions
As cyber attacks become more costly, disruptive and dangerous for businesses, cybersecurity governance is rapidly becoming a top priority for boardrooms. Some boards are adding a new director’s expertise in cybersecurity to their list of competencies, while others are using contractors and third-party service providers to bring cyber risk expertise into the boardroom. Some boards are employing a controversial method: hiring hackers from red teams to test their systems and find out the areas where they’re vulnerable.
There is a disconnect between the priorities that boards set and the actions they do to accomplish them. Our research shows that only 69% of board members report they regularly interact with their CISOs. A significant portion of these board members only interact with their CISOs when they are presenting to the board. These gaps must be addressed in order to ensure that the boardroom is capable of having a conversation and recognize cybersecurity dangers.
To bridge the cybersecurity gap, it’s essential to make cybersecurity a part of every board’s agenda and be able to engage directors in meaningful discussions about the dangers they face. This requires a change in how the discussion takes place in the boardroom, including having a dedicated agenda item, and introducing pre-read materials which can be used for more in-depth discussions about cybersecurity issues during meetings. It also requires making cybersecurity a board-wide concern, and creating a security-minded culture in the business through high-level leadership, rewarding of those who increase awareness of risk, and consequences for the entire management team.