Incessant cyberattacks have forced boards to take an active interest in cybersecurity. Finally, cybersecurity is no longer viewed as the CISO’s or CIO’s problem — it is increasingly seen as a ‘whole of organisation issue,’ and boards have an imperative role to play. Despite this progress, boards remain unprepared for cyber attacks. Alarmingly, only 62% of Singaporean board members believe that their organisation is prepared for a cyber attack, according to a recent report by Proofpoint and MIT Sloan (CAMS).
Cybersecurity: The 2022 Board Perspective, a report by Proofpoint and Cybersecurity at MIT Sloan (CAMS), found that there is a disconnect between board members and their CISOs. Globally, 69% of board members and 51% of CISOs agree that they see eye-to-eye with each other. In Singapore, however, that number is significantly lower compared to the other 11 countries surveyed – ranking near the bottom for the number of board members who feel aligned to CISOs (59%), while just 44% of CISOs feel aligned with their board.
This is not the only disconnect. Singaporean CISOs and boards are clearly misaligned on what they consider to be the biggest cybersecurity threat to their organisations. Board members in Singapore ranked email fraud/business email compromise (BEC) and ransomware as their top two concerns (36%). CISOs ranked Distributed Denial of Service (DDoS) and cloud account compromise as their top two concerns.
Singaporean board members and CISOs also disagree about the most important consequences of a cyber incident. Reputational damage is at the top of the list of concerns for boards in Singapore (40%), followed closely by internal data becoming public (38%). These concerns are in sharp contrast with those of Singaporean CISOs, who are more worried about significant downtime, disruption of operations, and loss of customers. With this difference in the agreement of the most important consequences, are the correct cyber programs being delivered to organisations? And are the right business outcomes being delivered?
With just 62% of Singaporeans believing that their organisation is prepared for a cyber attack, greater preparedness can only be achieved if boards and cybersecurity professionals are aligned in their approach to cybersecurity. This relationship certainly has room for improvement. At the very least, there needs to be agreement on the risks faced by the organisation and the level of preparedness that is necessary to manage those risks. This risk needs to be viewed by the board as a business risk and requires a shift in culture for some organisations.
Proofpoint’s research also found that boards are warming up to regulatory oversight. 84% of Singaporean respondents to the survey agree that organisations should be required to report a material cyber attack to regulators within a reasonable timeframe, and only 4% disagree.
Human Error is the Biggest Vulnerability
Technology controls alone are insufficient — organisations must focus more on people and processes. We must flip our traditional way of thinking and put people at the centre of our cyber focus. Proofpoint’s research showed that although 74% of those surveyed believe their employees understand their role in protecting the organisation against threats, 56% of Singaporean board members believe that human error is their biggest cyber vulnerability.
Therefore, a more people-centred approach where individuals understand cyber risks and know their role if an attack occurs is key. There needs to be a drive and uplift of security culture. Individuals need to understand why cybersecurity is important and they feel empowered to act. So, it is important that individuals understand the channels to report attacks or suspicious communications. Our research shows that most cyber attacks can be traced to some type of human error. That means making sure people throughout the organisation, including board members, know what to watch for and what to do should they encounter a questionable email, link, or website.
The language used to articulate cyber threats needs to be risk-based, relatable to the business in their language and aligned to a risk appetite. Too often, security professionals use terminology that is difficult for board members to understand. Boards need to take a much bigger role in managing cyber risk. To successfully achieve this – they need to understand the potential impact to the business. CISOs or the most senior cybersecurity professionals in an organisation need to be involved in board meetings, especially when risk is on the agenda. To appropriately manage risk and be on the same page, cybersecurity conversations must be in the context of business risk.