Who's on board when it comes to cyber resilience?

A key element of a company's cyber resilience is governance, a task that falls to the board of directors.

Two areas in which executives see a deficit are the ability of their organizations to identify and fill gaps in cyber talent, and the capacity to develop a cyber-savvy workforce. (Photo: Shutterstock)

Mitigating and responding to cyber threats is critical for today’s companies to sustain profitability and remain reputable. A key element of their cyber resilience is governance, a task that falls to the board of directors.

In March 2018, The Economist Intelligence Unit (EIU) conducted a global survey, sponsored by Willis Towers Watson, of 452 senior executives and board members with cyber responsibilities on how their companies were attempting to become more cyber resilient.

The survey revealed that many executives are confident in their companies’ cyber resilience. But some differ in opinion when regards to who should lead their cyber defenses as well as how much should be spent on cybersecurity.

Related: Understanding cyber risk from the enterprise level on down

Room to improve

Two areas in which executives see a deficit are:

While boards generally don’t focus on cyber-talent issues beyond the qualifications of the chief information security officer (CISO), these deficits speak to cultural issues that do fall within the board’s remit.

The human side of cyber resilience is clearly an area that the C-suite and board members believe their organizations could improve.

Additionally, less than half of companies surveyed had implemented seemingly basic cyber-related human resource policies, such as ongoing security awareness in training, identification of at-risk employees, and internal communications after a security incident.

With this in mind, do small- and mid-size businesses have more at stake than large businesses?

“On the surface, the answer would appear to be larger companies, especially global publicly traded companies due to regulations, shareholders, and the operational risk of a cyber attack and resulting impact on revenue,” says Anthony Dagostino, global head of cyber risk for Willis Towers Watson. “Thinking about smaller companies, as we’ve seen in the past, an incident affecting an organization with low revenue and perhaps is part of a few large customers’ supply chain, could be put out of business on the financial and reputation impact alone.”

Related: Can behavior-based cyber insurance improve cybersecurity?

Another day, another dollar

Given the magnitude of the risk, most executives think they aren’t spending enough on cybersecurity and cyber resilience.

Fifteen percent of respondents say that they are spending the right amount, and 12% believe they should spend less, according to the report. (Photo: Courtesy of The Economist Intelligence Unit)

Among the 452 companies surveyed, the average spend on cyber resilience is about 1.7% of revenue. When asked where the new dollars should go, “technology to harden cyber defenses” came in first at 20 cents of every new dollar.

Spending more on technology and investments in talent trailed slightly (19 cents of every new dollar), while insurance came in last (14 cents of every new dollar), even though sales of insurance against breaches are growing fast.

Dagostino isn’t surprised that insurance ranks last.

“First, cyber is not a compulsory line of insurance so [it's] still seen as a discretionary purchase. While the uptake of cyber insurance buyers continues to increase drastically, many buyers still have questions around the effectiveness of coverage and the buying process, while quicker than in the past, still takes time,” Dagostino says. “Also, we are still in an evolution period of building defenses and understanding risks. This is still akin to fire risk in history. Build with better materials, mitigate loss through alarms and sprinklers, get to know the responders, and then look at insurance.

Related: We can’t fix all the new vulnerabilities, so let’s fix the system

Who leads in the battle against cyber threats?

At the board level, cyber presents a dilemma. Executives were asked two questions:

The report found a growing proportion of companies believe in one of two things: that cyber should be overseen by the board or by a cyber committee. The alternative belief is that it should be the responsibility of audit, risk or some other subgroup.

It is possible to combine the two approaches by educating the generalists and simultaneously developing a strong and consistent working relationship with a smaller group with more in-depth knowledge

Despite the belief that “the best defense is a good offense,” for companies looking to counter all the threats in the cyber landscape, a more balanced strategy may prove more potent.

Related: Cybersecurity, InsurTech regulation poised to define 2018

Recommended Stories