Cybersecurity is a Board-level Business Issue

Boards unarmed with cybersecurity knowledge can leave their companies vulnerable to disrupted operations, business closures, even states of emergency for entire countries. Quarterly reports and sporadic appearances by CISOs at board meetings aren’t nearly enough. A Ponemon Institute survey of cybersecurity leaders found that only 7% of respondents report directly to the CEO, and 63% don’t report to the board at all.

Let’s take a deeper look at how boards can make security a crucial business priority, get more involved and make better decisions that can help their companies be more resilient. 

Taking ownership

Cybersecurity is often a nebulous concept for directors, but one for which they are ultimately responsible. Gartner’s recent survey of executives shows that boards are the main decision makers for technology spending, ahead of CIOs and CTOs. 

There must be more cybersecurity maturity in the boardroom, and CIOs, CISOs and CTOs can play a role in that, but other board members also need to put in the work because threat actors present an urgent business risk. According to IBM’s latest Cost of a Data Breach Report, the 2022 data breach average cost increased 2.6% from $4.24 million in 2021 to $4.35 million, which also represents a 12.7% increase over costs reported in 2020.

Just as boards turned to medical experts at the beginning of the pandemic, they should seek and accept the guidance of trusted cybersecurity professionals now. The threat of an attack is pervasive, and cybersecurity needs representation on the board. A CISO should have a direct line into the entire board, not just the CEO. A CISO’s regular presence, beyond providing the typical quarterly report, will help educate the board on the risks that security teams manage daily and where an organization is most vulnerable.

Prioritizing cybersecurity and bridging the knowledge gap between security leaders and board members can better prepare companies for the growing threat of cyberattacks and help inform decisions on how to combat the risk.

Understanding the cybersecurity landscape

According to ESG Research, only 19% of organizations feel prepared to handle a cyberattack while 52% believe the attack is likely a disaster. As boards get a clearer picture of their risk, they also need to understand the cybersecurity strategies and solutions available to them so they’re more confident when an adversary targets their company.

One leading way to minimize enterprise risk is adhering to a Zero Trust framework. Last year, the White House issued an executive order that mandates all federal agencies abide by Zero Trust architecture. Governments in the United Kingdom and Singapore have also embraced the philosophy.

Zero Trust security is an increasingly popular strategy that Gartner says “does not mean ‘no trust’ but zero implicit trust and use of risk-appropriate, explicit trust. To obtain funding and support for Zero Trust initiatives, security and risk management leaders must be able to explain the benefits to their technical executive leaders.”

Those benefits include stronger controls over who and what can access your network and resources regardless of where they reside; unauthorized access containment; and more efficient policy management and security maintenance. That may sound like a foreign language to board members that don’t have a cybersecurity background, but CISOs and CTOs can translate that for directors to highlight improvements that will not only protect company resources but also improve employee productivity and efficiency.

Zero Trust is, in fact, a top-three priority for 90% of respondents in ESG’s survey, and 60% of the most mature Zero Trust adopters report comprehensive visibility into their ecosystems and no known gaps.    

Turning a weakness into a strength

No organization may be completely impenetrable to hackers, but boards shouldn’t shrug off the power of Zero Trust security. It’s easy for directors to be intimidated by new cybersecurity strategies, but knowledge is power and they must embrace it like any other critical business function. 

As a CISO or CIO can attest, a Zero Trust journey isn't a quick fix. It’s a long-term commitment and framework that will inevitably come with obstacles. According to research from Forrester, 44% of organizations need help identifying and designing the most appropriate Zero Trust pilot, and 43% lack articulated and quantified business outcomes. Fortunately, there are numerous guidelines—from CISA’s Zero Trust maturity model to NIST Special Publication 800-207--available to help organizations chart their path. We’ve even created our own Zero Trust maturity model roadmap to help organizations understand each stage and the steps they can take to advance their security strategy.

And there are proven business benefits of Zero Trust security. The Nemertes Real Economic Value Report on Appgate SDP, our leading Zero Trust Network Access (ZTNA) solution, reports that it accelerates digital transformation initiatives an average of 119% and was rated a 9.5 out of 10 as being most strategic to Zero Trust. Additionally, according to Ponemon Institute’s Global Study on Zero Trust Security for the Cloud, respondents who have adopted Zero Trust tenets also report a range of operational benefits: increased productivity of the IT security team (65%); stronger authentication using identity and risk posture (61%) and increased productivity for DevOps and greater network visibility and automation capabilities (both 58%).

With a clear plan, organizations can focus security efforts on specific departments or projects to start seeing tangible results. Quantifying the effectiveness of a security investment can get boards to understand the best way to mitigate their risk. When boards start bringing cybersecurity leaders to the table and make a commitment to understanding their risk profile, they can take the first steps toward bolstering their defenses against an attack and improving their resilience if a breach does occur.

Additional Zero Trust security resources
eBook: Securing the Hybrid Enterprise
Solution brief: Zero Trust Access for Corporate Networks