UK boardrooms and CISOs increasingly aligned on cyber risks

UK business leaders are far less concerned about the risk of a material cyber attack on their organisation than they were this time last year, according to data compiled by Proofpoint, which suggests a growing sense of alignment between security leaders and boardrooms.

In a study published last week, Cybersecurity: The 2023 board perspective report, Proofpoint revealed that 44% of UK board members felt their organisation was at risk, compared with 76% in the 2022 edition.

But although this may be read as a positive sign that chief information security officers (CISOs) and boards are working closer together and making progress towards addressing cyber risk factors, the newfound alignment between the two has not yet delivered significant change, even though boards feel good about the time and resources they are investing, said Proofpoint executive vice-president of cyber security strategy, Ryan Kalember.

“Our findings show that it remains a challenge to translate increased awareness into effective cyber security strategies that protect people and data,” he said. “Growing even stronger board-CISO relationships – particularly in the UK, where our data shows the need for significant improvement in this area – will  be instrumental in the months ahead, so directors and security leaders can have more meaningful conversations and ensure they’re investing in the right priorities.”

And Proofpoint resident CISO for EMEA Andrew Rose said that even with this positive change, board members should still keep in mind that the risk of material cyber attacks remains acute, and the threat landscape will continue its rapid evolution come what may. As such, he said, establishing and nurturing strong partnerships between boards and CISOs was more critical than ever.

“This is certainly not a time to grow complacent,” said Rose. “Boards must continue to invest heavily in improving preparedness and organisational resilience. This means pushing for even deeper, more productive conversations with CISOs to ensure directors are making informed, strategic decisions that drive positive outcomes.”

Among some of the other UK-specific findings contained in the report that may still give cause for concern, Proofpoint found that improved security awareness and funding were still not translating into actual preparedness – 44% of board members viewed themselves as unprepared for cyber attacks, despite 66% planning to increase their budgets, 48% thinking they were adequately covered already, and 50% believing they clearly understood the risks they face.

Directors and CISOs also differ when it comes to the biggest threats they perceive, with boards ranking malware, cloud compromise and ransomware higher than CISOs who were more worried about email fraud and business email compromise (BEC), insider threat, and smishing or vishing.

Board members felt less strongly about the importance of human error, while CISOs tended to be more confident in their ability to protect valuable data.

Proofpoint said it was clear that boardroom-CISO interactions and relationships still needed significant improvement. Fewer than half of board members said they interacted with their security leaders yesterday, compared with more than half in 2022, and when they did interact face-to-face, only 39% of board members said they saw eye-to-eye with their CISO, compared with 74% of CISOs who shared that view.

Some of the UK findings also stand in stark contrast to the global picture, with 73% of respondents saying they felt at risk of a material cyber attack, up from 65% in 2022. The study looked at the attitudes of 659 board members at large organisations with headcounts of more than 5,000 across multiple industries. Besides the UK, the bulk of the respondents were drawn from Australia, Brazil, Canada, France, Germany, Italy, Japan, Mexico, Singapore, Spain and the US.

Commenting on the report’s findings, Emily Phelps, director of Cyware, a threat intelligence specialist, said: “Proofpoint’s report illustrates how important communication and collaboration are across all levels of an organisation. The rise in board awareness is a great first step to addressing cyber attacks; ultimately, we want to capitalise on the growing awareness so that enterprises can more quickly get to meaningful action that reduces risk.

“As the report notes, new technologies pose new security risks, and while new technologies can also aid in security defence, it’s more important to ensure the technologies CISOs and security teams adopt work well together,” said Phelps. “The more collaborative the tools are, the better organisations can address people, tech and data silos, making it easier to get the right information to the right people at the right time so organisations can take the right action with confidence.”