5 Warning Signs of Cybersecurity Overconfidence

Although cybersecurity remains a top concern for most boards of directors, recent research implies that their threat awareness may not be as accurate as it should be. Studies show this is largely due to a huge gap in understanding between the security department, employees who work in the trenches to protect the company and its assets from IT threats, and the board of directors, executives who oversee departmental operations.

Here are the top five warning signs that your board of directors is experiencing cybersecurity overconfidence:

1. Poor communication between security department and board of directors
As previously mentioned, there is a large disconnect between the board of directors and security personnel which will only worsen if the lack of communication continues. When department heads and its employees are not communicating effectively it becomes extremely difficult for the department to operate successfully. According to a recent study by the Ponemon Institute, 59 percent of board members see their cybersecurity program as very effective while only 18 percent of security personnel find this to be true. By opening that line of communication, the board can gain a better understanding of what is going on within the security department and make the appropriate adjustments for improvement.

2. Members of the board lack cybersecurity knowledge
If the directors who oversee security risk assessments and audits do not fully understand the data they are collecting, it is nearly impossible to really know if your cybersecurity program is operating effectively. The study conducted by the Ponemon Institute revealed that only 33 percent of board members surveyed would consider themselves knowledgeable about cybersecurity. This lack of knowledge greatly contributes to cybersecurity overconfidence by allowing the board to continue to have an overly optimistic view of the organization’s threat landscape.

3. Board of directors underestimate cyberthreats
According to a Tripwire survey among U.S. retailers, when asked how quickly their organizations would detect a breach, 42 percent said it would take 48 hours, 18 percent said it would take 72 hours, and 11 percent said it would take a week. This is surprising considering the industry research shows that the average time required to detect a breach is actually 229 days. In fact, most breaches go undiscovered for months or longer. “While on the one hand it’s encouraging to see that companies are confident in their ability to deal with threats,” Florent Skrabacz, head of security business from Steria, told CXOtoday.com, ‘there is a risk that this confidence is misplaced.”

4. Board of directors are unaware of security incidents
The recent Ponemon Institute study shows that in many cases members of the board are uncertain if their company has experienced a security incident. One in five said they were unsure if they had experienced a business disrupting cyber attack in the past few years and 18 percent were unaware if they had experienced a breach involving “high-value information.” What is even more shocking is that the study also revealed that over half of security professionals said that their organizations had in fact experienced a breach involving “high-value information” in just the past two years, while only 23 percent of board members agreed.

5. Board members do not utilize cybersecurity metrics
While most board of directors understand the reputational impact of a breach or security threat, most just stop there. To maintain a successful cybersecurity program it is crucial for the board to ask for more information from its’ security departments. Only 19 percent of boards use security KPIs or other metrics to ensure the IT department maintains a certain level of risk, according to the the Ponemon Institute. It is imperative that the board of directors and any IT Security personnel are working toward the same goals.

So how can organizations avoid cybersecurity overconfidence? Investing in a governance, risk management and compliance (GRC) tool, such as Keylight, can help significantly. Keylight features multiple dashboards that can help security personnel easily report on the health of the program up the chain of command. You will also have the ability to conduct risk assessments and prioritize any risks based on probability and impact, allowing board members to gauge the severity of a threat much easier. Keylight can help establish and monitor security metricsto ensure the board and IT security employees are all working toward the same goal: a successful and effective cybersecurity program.

Related Articles