Cybersecurity and compliance company Proofpoint surveyed 659 board members globally for the second annual Cybersecurity: The 2023 Board Perspective report.
The findings reveal that 84% of participating board members in Australia view cybersecurity as a priority, higher than the 73% global average. Furthermore, 81% believe they have invested adequately in cybersecurity, and 88% anticipate their cybersecurity budgets will increase in the next 12 months. These findings are encouraging, especially since Australia lagged behind other countries last year in terms of prioritising cyber risks.
However, investing time and money into cybersecurity has not produced the expected results. Nearly three-quarters of surveyed Australian directors feel that their organisation is at risk of a material attack in the next 12 months, compared to just over half the previous year. Additionally, 59% feel unprepared to cope with a targeted attack, higher than the 53% global average.
The events of the past year may have contributed to the disconnect between awareness and preparedness. According to news reports, the Australian Information Commissioner said that the number of cyber attacks grew by 67% between the first and second half of 2022. We also experienced several massive data breaches.
Emerging threats such as generative artificial intelligence (AI) may have also impacted the directors’ sentiments, as 71% expressed belief that tools such as ChatGPT create a security risk for their organisation. Increased targeted email fraud is one of the biggest concerns currently, considering that the new AI tools can help create more convincing phishing emails in various Asia Pacific languages. Concerns will grow further as cybercriminals begin to take advantage of open-source generative AI to perpetrate cyber crimes.
The disconnect between awareness and preparedness suggests that organisations understand they can be compromised in many ways, yet the fear of the unknown makes them feel vulnerable.
One of the biggest challenges is the board’s lack of education. Every business is unique and complex, and its risk profile has many nuances. With a large number of organisations planning to increase their cybersecurity budgets, this is an opportune time for boards to boost their cyber knowledge and lead conversations that can drive meaningful change.
Is business risk ‘lost in translation’?
The Australian Parliament’s passage of the Privacy Legislation Amendment Bill 2022 upped the ante on privacy last year. The substantial increase in penalties certainly has the boardroom’s attention. The Proofpoint report confirms that boards are demonstrating their fiduciary responsibility to improve cyber resilience. However, it also suggests that there is a big knowledge gap around cybersecurity, and this lack of knowledge will hinder the boards’ effectiveness in managing cyber risks.
Around three-quarters of surveyed Australian directors believe that their board clearly understands the cyber risks their organisation faces. This assessment is overly optimistic, given the large number of directors who are not seeing the impact of the time and money they are spending on cybersecurity.
The lack of a direct connection between directors and their Chief Information Security Officer (CISO) is one of the biggest challenges for boards seeking answers. Only 57% of Australian directors say they interact with their CISO regularly. Even when they are communicating, boards may not be receiving the right information or asking the right questions. Far too often, the risks are presented to the board in an ad hoc and IT-centric fashion. If the technical data doesn’t get translated into business risks, boards simply cannot be effective at providing cybersecurity oversight.
Looking at risk broadly rather than through the lens of an organisation’s specific situation is also a common mistake. Understanding overall cybersecurity trends is important for directors, but it is equally important to understand how factors such as their organisation’s business model and sector impact their risk profile. For example, a company may not have customer data or conduct online transactions but may own valuable research and development data. This company may be targeted for very different reasons compared to an e-commerce retailer.
Boards have a steep learning curve to come up to speed, and the first step is to stop asking boilerplate, generic questions.
What makes your business unique, and how do those variables make it vulnerable to attacks? What are the implications of the different types of data your organisation holds? How are all these cyber risks driving your business risks? These are the types of questions that can help ensure that information is not lost in translation as it makes its way through the C suite to the boardroom.
Bridging the knowledge gap
Cyber expertise on the board is one of the top three desired changes on surveyed Australian board members’ wish lists. Cyber education is an essential step in gaining this expertise, and education is not a “one-size-fits-all” endeavour. Each board must seek out an educational program that is tailored to their company, risk profile, and risk appetite.
By narrowing their knowledge gap, directors can feel more comfortable asking the right questions and ensuring they’re adequately analysing, prioritising, and monitoring risks. Strong relationships with CISOs are also key to this effort as cyber risk grows more complex.
The good news is that Cybersecurity: The 2023 Board Perspective shows gradual improvement in the CISO-board relationship. Board members who pursue better education and collaborate strategically with their CISO will be in a much better position to understand what they need to do to protect their organisation. Only then will they be able to confidently answer the question of whether they’re doing enough and investing in the right cybersecurity resources.
Key Australian findings:
- Generative AI has most of the boardroom’s attention: with tools such as ChatGPT getting much of the spotlight in recent months, 71% of surveyed Australian board directors view this emerging technology as a security risk to their organisation.
- Year-over-year comparison shows Australian board members are much more concerned about cyber risk: 74% of those surveyed feel their organisation is at risk of a material cyber attack, compared to 52% in 2022.
- Awareness and funding do not translate into preparedness: 84% of Australian board directors agree that cybersecurity is a priority for their board, compared to just 73% of directors globally. In Australia, 76% believe their board clearly understands the cyber risks they face, 81% think they have adequately invested in cybersecurity, and 88% believe their cybersecurity budget will increase over the next 12 months; however, these efforts are not leading to better preparedness—59% still view their organisation as unprepared to cope with a cyber attack in the next 12 months, higher than the global average of 53%.
- Board members and CISOs have similar concerns about their biggest threats: Australian board members ranked email fraud/BEC (53%), ransomware (40%) and cloud account compromise (31%) as their top concerns. This is only slightly different from CISOs’ top concerns of cloud account compromise (36%), ransomware (35%), and DDoS attack (34%). This is different to global board members, who ranked malware as their top concern (40%), followed by insider threat (36%) and cloud account compromise (36%).
- Directors are not aligned with CISOs in the areas of people risk and data protection: more Australian board directors (66%) than CISOs (51%) agree that human error is their biggest risk, and board members are also much more confident in their organisation’s ability to protect data—84% of directors share this view, compared to only 49% of CISOs.
- Additional cyber resources, better threat intelligence, and cyber expertise on the board top boardrooms’ wish lists: 45% of Australian board directors said their organisation’s cybersecurity would benefit from more cyber resources, 38% would like to see better threat intelligence, and 38% would like cybersecurity expertise on the board.
- Board-CISO interactions and relationships are gradually improving: 57% of Australian board directors say they interact with security leaders regularly. While an increase from last year’s 43%, it still leaves nearly half of all boardrooms without strong CISO-C-suite relationships. Board members and CISOs are generally aligned when they do interact, however, with 72% of board members saying they see eye-to-eye with their CISO and 57% of CISOs agreeing.
- Personal liability is much more of a concern for boards than CISOs: 84% of Australian board directors expressed concern about personal liability in the wake of a cybersecurity incident at their own organisation, higher than the global average of 72%. Meanwhile, only 54% of Australian CISOs agree with these concerns.
Download Cybersecurity: The 2023 Board Perspective report
Jennifer Cheng is Cybersecurity Strategy Leader at Proofpoint.