Skip to main content
close search
site logo

CISOs under pressure from boards to downplay cyber risk: study

Research from Trend Micro shows tension between CISOs and senior enterprise leadership. Many security leaders say they’re perceived as nags.

Published May 30, 2024
David Jones's headshot
Reporter
Silhouette of several business people at a conference room table.
FangXiaNuo via Getty Images

The majority of CISOs and other IT security leaders, almost 4 in 5, say they have felt pressure from their corporate boards to downplay the severity of cyber risk, according to a study commissioned by Trend Micro.

The study highlights ongoing tension within the upper ranks of corporations between C-suite executives, investors and security operations over how to properly manage and communicate security risk.

“The board is focused on the overall business and typically there is a big effort to ensure the company supports their investors,” Jon Clay, VP of threat intelligence at Trend Micro, said via email. “As such they want to ensure the reputation, revenue and profitability is tantamount.”

Among those security leaders feeling pressure from their boards, the report found 43% say they are seen as nagging or repetitive and 42% say they are seen as being overly negative about cyber risk. The report is based on a worldwide survey of 2,600 IT security leaders conducted by Sapio Research. 

The debate is particularly relevant in the U.S., as the Securities and Exchange Commission requires publicly traded companies to disclose material cybersecurity incidents within four business days of such determination. 

Companies must also annually disclose information about their cyber risk strategies.

The SEC in 2023 filed charges against SolarWinds and its top cyber risk executive, alleging the company misled investors about the company’s cyber resilience.   

Brian Walker, CEO of the CAP Group, which advises corporate boards and executives on cyber risk, disagrees with the findings about board pressure, but agrees communications between CISOs and board directors are often misaligned. 

“Most boards are aggressively trying to understand cyber risks in context of all other enterprise risks,” Walker said via email. 

The findings are somewhat contradicted by a report from Proofpoint, which shows increased alignment between CISOs and their respective companies. The 2024 Voice of the CISO report shows 84% of CISOs say they see eye-to-eye with their boards on cyber risk, a significant improvement from a year ago, when only 62% saw such alignment. 

Despite the improvements, CISOs still feel tremendous pressure to carry the weight of cyber risk on their backs. Proofpoint's study shows 66% of CISOs say they are faced with excessive expectations, compared with 61% in the year-ago study. 

“While CISOs are enjoying closer ties with key executive partners, stakeholders, board members and regulators, this proximity also brings higher stakes, more pressure and heightened expectations,” Patrick Joyce, global resident CISO at Proofpoint, said via email. 

Two-thirds of CISOs are concerned about personal liability, compared with 62% in the year-ago study. More than 70% of those surveyed said they would not join a company unless they had directors and officers coverage, which is personal liability insurance for top executives. 

Editors' picks

Company Announcements

View all | Post a press release
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell