Cybersecurity has become a critical part of corporate governance, with board members increasingly held accountable for the digital safety of their organizations. Amid rising breach costs, new cybersecurity regulations like those from the U.S. Securities and Exchange Commission (SEC), and new studies finding widespread cybersecurity failures, the impact of board-level cyber governance decisions is significant. Board decisions on cybersecurity not only influence the immediate well-being of the organization but also its long-term financial performance and reputation. Leveraging newly released joint research between Bitsight and Google, in this blog we’ll share 5 cyber governance tips for board members to help them better protect their organization.
Many Organizations are Unprepared for Cyber Incidents
A recent research collaboration between Bitsight and Google has highlighted the urgency of the situation. The study — analyzing nearly 100,000 global organizations across 9 industries and 16 security controls — discovered widespread cybersecurity failures across industries, some of them significantly correlated with bad outcomes like breach. This trend highlights the need for board members to reassess their roles in cybersecurity governance to ensure organizational security and to manage financial, reputational, and other negative impacts of cybersecurity incidents.
In light of this study, here are some key considerations for the board:
Cyber Preparedness is Lacking
The study's findings are clear — a significant number of organizations are not ready to face cyber threats. In fact, we found that eight MVSP controls have either high 2023 Fail rates, low Pass rates, or both, across all industries. Two of these MVSP controls map solely to Bitsight’s Patching Cadence risk vector, a measure of an organization’s vulnerability management program. Failure in this area is significantly correlated with bad outcomes like breach.
Software vulnerabilities are no longer a technical concern — they're a critical business risk. Boards must understand these specific risks their organizations face so they can develop strategic plans to address them.
Change is Necessary
Boards need to evolve their traditional oversight roles to become proactive participants in cybersecurity strategy. Change is already happening, much of it driven by regulations including the SEC’s new cybersecurity regulations creating new obligations for reporting “material” cybersecurity incidents and requiring more detailed disclosure of cyber risk management.
Awareness and Informed Decisions
Becoming aware of cyber risk is only the first step. Boards must make informed, data-driven, and targeted decisions that impact their organization’s cybersecurity posture. Many boards rely on cybersecurity analytics to promote an objective assessment of their organization’s performance.
Immediate Action is Required
Delayed responses to cybersecurity challenges correlate directly with increased risk. Organizations that are falling behind in control measures like patching cadence are at a significantly higher risk of incidents.
Financial Implications are Significant
The financial consequences of lacking cybersecurity are clear, with IBM reporting that the average cost of a data breach has risen to $4.45 million, a 15 percent increase from 2020.
Board Accountability
The board is ultimately responsible for the security posture of their organization, full stop. As emphasized by Dmitri Alperovitch, co-founder of CrowdStrike:
“The responsibility of the board is not to be involved operationally and tell the CISO which firewall to buy and which technology to deploy, but it is their [the board’s] responsibility to hold them [the CISO] accountable and make sure they have the resources needed.”
5 Actions for Boards to Reduce Cyber Risk
Boards can take these actions to better protect their organization from cyber threats:
Demand Financial Quantification of Cyber Risk
Boards should require CISOs to provide clear, objective analytics on the organization’s cybersecurity posture, ensuring decisions are data-driven and tied to financial outcomes. Moody’s Investors Service found that nearly 40 percent of organizations do not assess cyber risk in terms of financial impact. Financial quantification translates cyber risk into a universal language so board members can make decisions, prioritize investments, and build context.
Ensure Adequate Resources
Boards must ensure that CISOs have the resources needed to secure the organization effectively. This includes both financial investment and support for developing robust security teams and protocols. Amid budgetary constraints and macro challenges, some organizations are leaning on tools that provide a full view of their attack surface.
Foster a Culture of Security
Cybersecurity is not solely a technical challenge; it’s a business risk. Boards should advocate for a company-wide culture that prioritizes cybersecurity, recognizing that every employee has a role to play. Refuse to have an organization that perceives cybersecurity as a back office technical issue by encouraging executives to promote a culture that views employees as a critical line of defense.
Adopt a Proactive Stance
Proactive risk management, including regular assessments and the implementation of strategic defense mechanisms, should be a board-level priority. Expansion via mergers and acquisitions or otherwise is important but it adds risk. Board members should ensure their organization has what it needs to responsibly onboard vendors, acquire target firms, and meet its goals.
Engage in Continuous Improvement
Boards should encourage continuous improvement and adaptation of security strategies to counter new and emerging threats. CISOs should be reporting improvements via consistently familiar measurements, not in one-off performance recaps with ad hoc metrics.
Take Action Now
Bitsight’s study in collaboration with Google serves as a clear indicator of the current state of cybersecurity performance. It’s clear that board members must take a more active and informed role in cybersecurity decision-making. By doing so, boards can protect their organizations from immediate threats while also building a resilient and trustworthy corporate ecosystem that can withstand future cyber challenges.
Boards and their relationship with CISOs must evolve to face current cybersecurity challenges. Read our high-level overview of the study’s results for a brief on the latest and reach out to Bitsight to learn how we can help.