Boards are grasping cyber threats, but CISOs still feel underprepared

"It remains a challenge to translate increased awareness into effective cybersecurity strategies that protect people and data," said a Proofpoint leader about new research comparing the POVs board directors and CISOs.
By Andrea Fox
10:50 AM

A new report that looks at the cybersecurity posture of boardrooms – and examines the level of communication and collaboration among boards and hospital chief information security officers – shows closer alignment between boards and their infosec leaders. But it shows there's still work to be done to build a unified response to cyber threats.

WHY IT MATTERS

Proofpoint's second annual Board Perspective report, published Sept. 6, explores three key areas: the cybersecurity threats and risks boardrooms face, their level of preparedness to defend against those threats and their alignment with CISOs – based on the sentiments uncovered in the company's Voice of the CISO report released earlier this year.

To assess board perspectives, Proofpoint researchers examined responses on surveys conducted in June with 659 board members at organizations with 5,000 or more employees across different industries, including healthcare 

More than 50 board directors in each of the countries – U.S., Canada, U.K., France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil and Mexico – participated.

Board members cited concerns with ongoing volatility, including lingering geopolitical tensions and increases in ransomware attacks. 

While 73% reported viewing cybersecurity as a priority, 72% indicated that they believe their boards clearly understand the cyber risks their organizations face, and 70% said they believe they have made adequate cybersecurity investments.

However, awareness and investments did not translate into satisfactory preparedness, according to the board directors surveyed. 

The researchers said that because 84% of the responding board members believed their cybersecurity budgets would increase over the next 12 months, while 53% still view their organization as unprepared to cope with a cyberattack over the next year, there's a paradox.

The report discusses several other key findings, and chief among them is a measure of improvement in CISO interactions and relationships with boards. 

More than half of the directors (53%) said they interacted with security leaders regularly, which is an increase of 6% that indicated a sound CISO-C-suite connection last year. In early February, CISOs had a similar increase in their reporting of improved relationships with the C-suite.

Board members and CISOs also proved to have similar concerns, ranking malware as their top concern (40%) followed by insider threats (36%) and cloud account compromise (36%). 

However, they are reporting more confidence in organizational abilities to protect data than CISOs – 75% compared to 60% of the CISOs surveyed about their confidence earlier this year.

Researchers said some of the findings in their comparison of board and CISO cybersecurity thinking in 2023 could be more concerning when it comes to third-party attacks.

"Despite a marked increase in supply-chain attacks, just 26% of board members cited the threat as a top concern," they said. That could also be correlated to the earlier findings.

"This may be partly explained by the recent finding in the 2023 Voice of the CISO report that 64% of CISOs believed their organization had appropriate controls in place to mitigate supply-chain risk," researchers said.

They also cited the victims of attacks exploiting MOVEit vulnerabilities in the report, saying that "there is no room for complacency" with overall supply chain attacks on track to cost almost $46 billion by the end of 2023 and more than $80 billion by 2026.

With 72% of the directors reporting concerns over their personal liability after a cybersecurity incident, according to the survey, it is not surprising that board members named bigger cybersecurity and infosec budgets, additional cyber resources and better threat intelligence as top items on their wish lists. 

The emergence of artificial intelligence has also warmed board members' intuition that new technologies in the hands of the masses bring increased risk to their organizations, with 59% of those surveyed citing generative AI as a security risk for their organization. 

Board members from Japan, Singapore and Australia said they are most concerned about generative AI, according to the Proofpoint report. 

"As it stands now, the biggest threat from tools such as ChatGPT is employees uploading sensitive content to assist with research or report writing," researchers noted.

"But bigger problems are no doubt on the horizon. Cyber criminals already use AI to reduce the time-consuming aspects of phishing and finding and exploiting vulnerabilities. AI also allows those with limited technical chops to enhance their cyber attacks," they added.

THE LARGER TREND

In healthcare, boards have often been seen in years past as responding too slowly or not investing in security preparedness at a level commensurate with the cyber threat to hospitals and health systems. 

But John Riggi, national advisor for cybersecurity and risk for the American Hospital Association – who will be delivering the opening keynote Sept. 7 at the HIMSS Healthcare Cybersecurity Forum in Boston – says that's changed in recent years as the scope of the problem has become clear.

"It's become crystal clear to hospital leaders in the boards, at least the ones that I speak to, that cyber risk is truly an enterprise risk issue," said Riggi. "It impacts every function in the organization. But most importantly, it is a risk to patient safety.

"Every CEO I speak to ranks cyber risk as their number one or two risk issues," he added. "And they are absolutely trying to bolster their defenses by adding more cyber budget, trying to add more technology, and really trying to mature their cybersecurity programs overall."

CISOs had revealed challenges, priorities and expectations to Proofpoint in early February when they were surveyed. They responded to questions about their experiences over the last year and their outlooks for the years ahead, prompting Lucia Milica Stacy, Proofpoint's global resident CISO, to cite the global recession's pressure on security budgets.

"CISOs must remain steadfast in pressing the C-suite for critical controls to protect their organizations," she advised in the Voice of the CISO report's forward.

ON THE RECORD

“The newfound alignment between board members and their CISOs on cyber risk and preparedness is a positive sign that the two sides are working closer together and making progress," Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said in a statement.

"However, this growing alliance hasn’t yet delivered significant changes in cybersecurity posture, despite boards feeling good about the time and resources they’re investing to combat this risk."

The HIMSS Healthcare Cybersecurity Forum kicks off on Thursday, September 7 and runs through Friday, September 8 in Boston. 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.