CISOs under pressure from boards to downplay cyber risk: study
The majority of CISOs and other IT security leaders, almost 4 in 5, say they have felt pressure from their corporate boards to downplay the severity of cyber risk, according to a study commissioned by Trend Micro.
The study highlights ongoing tension within the upper ranks of corporations between C-suite executives, investors and security operations over how to properly manage and communicate security risk.
“The board is focused on the overall business and typically there is a big effort to ensure the company supports their investors,” Jon Clay, VP of threat intelligence at Trend Micro, said via email. “As such they want to ensure the reputation, revenue and profitability is tantamount.”
Among those security leaders feeling pressure from their boards, the report found 43% say they are seen as nagging or repetitive and 42% say they are seen as being overly negative about cyber risk. The report is based on a worldwide survey of 2,600 IT security leaders conducted by Sapio Research.
The debate is particularly relevant in the U.S., as the Securities and Exchange Commission requires publicly traded companies to disclose material cybersecurity incidents within four business days of such determination.
Companies must also annually disclose information about their cyber risk strategies.
The SEC in 2023 filed charges against SolarWinds and its top cyber risk executive, alleging the company misled investors about the company’s cyber resilience.
Brian Walker, CEO of the CAP Group, which advises corporate boards and executives on cyber risk, disagrees with the findings about board pressure, but agrees communications between CISOs and board directors are often misaligned.
“Most boards are aggressively trying to understand cyber risks in context of all other enterprise risks,” Walker said via email.
The findings are somewhat contradicted by a report from Proofpoint, which shows increased alignment between CISOs and their respective companies. The 2024 Voice of the CISO report shows 84% of CISOs say they see eye-to-eye with their boards on cyber risk, a significant improvement from a year ago, when only 62% saw such alignment.
Despite the improvements, CISOs still feel tremendous pressure to carry the weight of cyber risk on their backs. Proofpoint's study shows 66% of CISOs say they are faced with excessive expectations, compared with 61% in the year-ago study.
“While CISOs are enjoying closer ties with key executive partners, stakeholders, board members and regulators, this proximity also brings higher stakes, more pressure and heightened expectations,” Patrick Joyce, global resident CISO at Proofpoint, said via email.
Two-thirds of CISOs are concerned about personal liability, compared with 62% in the year-ago study. More than 70% of those surveyed said they would not join a company unless they had directors and officers coverage, which is personal liability insurance for top executives.