Board Can Play A Key Role In Curbing Cyber Threats

by CXOtoday News Desk    Feb 15, 2017


Boards and senior management in organizations are increasingly understanding that cybercrime is a risk management issue that affects the entire organization and requires board oversight. However, although directors know that they need to stay informed about cybersecurity, keeping up with it in the complex, rapidly evolving threat landscape often becomes challenging. The good news is, there has been an increase in the number of firms whose boards of directors and management that are actively engaged with cybersecurity and adopting best practices in their IT departments. Protiviti’s 2017 Security and Privacy Survey shows that current board engagement levels are at 33 percent, compared to 28 percent in 2015.

“While there has been an increase in boards of directors’ and company management’s engagement with information security is a positive sign, it’s imperative that leadership keeps closer tabs on the state of their organizations’ cybersecurity programs,” said Scott Laliberte, a Protiviti managing director and leader of the firm’s global IT security and privacy practice.

He believes this is more so because new technologies are introduced and new approaches to generating revenue are deployed, it’s increasingly important to reexamine existing data security and privacy processes on a regular basis - ensuring that the right systems and people are in place to keep pace with changes.”

Here are some of the other interesting findings of the survey:

Having an engaged board and a comprehensive set of security polices make a huge difference. In assessing the results for companies in which the board has a high level of engagement in information security, these organizations rate considerably higher than other companies in nearly all facets of information security best practices. The same holds true for organizations that have all of the core information security policies in place.

When it comes to security, these foundational qualities distinguish top-performing organizations from the rest of the pack. A concerning number of companies – nearly one in five – cannot confidently identify or locate their most valuable data assets. Protecting these “crown jewels” requires a data classification scheme and effective policies that are supported across the enterprise.

People, as well as policies, are key to an effective security program. Security policies are best supported with training programs and communications for employees, who are often responsible, unintentionally or otherwise, for enabling data and security breaches. Organizations should focus on promoting a culture of security policy compliance.

Vendor risk management must mature. As the use of cloud-based storage and external data-management vendors increases, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures – areas that might stand between an organization’s crown jewels and cyber-attackers.

The percentage of companies that have adopted these five core information security policies to have in place are: An acceptable use policy (80 percent); A records retention/destruction policy (78 percent); A data encryption policy (70 percent); A written information security policy (69 percent) and a social media policy (59 percent)

However, the research concludes that there is significant progress to be made because only 38 percent of surveyed companies have all five information security policies in place today.