News Feature | October 4, 2016

Boards Pressured To Prioritize Security Due To Compliance Regulations

Christine Kern

By Christine Kern, contributing writer

Regulatory Compliance Elevated Standards

A Majority of Board Members say they need a cyber expert on the board.

Bay Dynamics has released What’s Driving Boards of Directors to Make Cyber Security a Top Priority, a report based on a survey asking board members why they are making cyber security a top priority. It takes a deeper dive into the challenges board members face when it comes to reducing cyber risk and complying with regulatory requirements.

“The survey reveals that boards of directors in larger companies are taking cybersecurity and cyber risk much more seriously than they were just two years ago,” said Michael Osterman, Principal Analyst with Osterman Research. “Board members are increasingly recognizing the critical importance of becoming better educated about cyber-related issues and relying on trusted advisors that can increase their expertise on critical cybersecurity and cyber risk issues.”

The study found three out of five board members believe one or more of their fellow board members should be a CISO or some other type of cyber security expert. With only one in six board members claiming substantial expertise in understanding the nuances and implications of cyber security issues, that power deficiency is driving a 60 percent belief that one or more board members should be a CISO or some other type of cyber security expert.

Further, while nearly half of the board members surveyed believe that regulations are “very” sufficient in helping to protect corporate data assets, as regulations increase a growing proportion of companies struggle to satisfy their cyber security mandates. Nearly 60 percent expressed mandates are “somewhat” or “very” difficult to satisfy — a number that has increased by almost 20 percent from 2014 to 2016.

And the number one driver of board members making cyber security a top priority is complying with regulatory requirements. In the past two years, there has been an 11-fold increase in the number of organizations citing increased regulation from the government as a driver and a similarly dramatic increase from industry bodies. Close behind, with a 10-fold increase, were fears of lawsuits and regulatory penalties. Shockingly, these factors drove more reaction and action than the experience of a breach at their own company.

Business Solutions Magazine recently covered the second report, How Boards of Directors Really Feel About Cyber Security Reports, which demonstrated cyber risk reduction transcends identification by IT executives and must include clear communication. Bay Dynamics and Osterman Research also published Reporting to the Board: Where CISOs and The Board are Missing the Mark which is based on a survey asking IT and security executives about the challenges they face communicating cyber risk issues to the board.

“This series of reports demonstrates a positive shift in how boards of directors are prioritizing and approaching cyber risk issues,” said Ryan Stolte, co-founder and Chief Technology Officer at Bay Dynamics. “It is clear that boards understand that they are responsible for setting the cyber risk appetite of an organization. This current report shows that board members want to understand and be actively involved in the cyber risk reduction process. That includes making decisions that drive continuous compliance and going a step further by adding a board member with cyber-specific expertise who speaks the same language as the trusted security executives advising them.”