BURLINGTON, Mass. — May 28, 2015 —Veracode, a leader in protecting enterprises from today’s pervasive Web and mobile application threats, today issued findings from a joint NYSE Governance Services/Veracode survey of nearly 200 directors of public companies revealing how cybersecurity is understood, prioritized and addressed at the board level.  Cybersecurity has clearly become an important board-level priority, with more than 80 percent of respondents reporting that cybersecurity is discussed at most or all boardroom meetings.  At the same time, a surprising 66 percent are not fully confident their companies are properly secured against cyberattacks.

Pressure has been mounting in the boardroom following multiple high-profile breaches leading to C-level changes. In fact, many board members are now being tasked to personally manage cybersecurity as a risk area, according to the Information Systems Audit and Control Association (ISACA)^[1].  This has created a need for CISOs to better understand board member perceptions and become more effective at communicating their cybersecurity strategies in the boardroom.

Strategic Insights for CISOs

Based on survey results across a variety of industries — including financial services, health care and technology — board members clearly understand the connection between cybersecurity and the bottom line. Yet the results also reveal a significant disconnect when it comes to how board members prioritize cyber risk when introducing new technology-based products or services.  While it’s refreshing to see cybersecurity risk move higher on the board’s agenda, board members ranked it second to last in priority when developing new products and services (behind other concerns such as competitive differentiation, revenue potential and development costs).

Key insights from the survey that CISOs can use when presenting to the board in include:

• Map Risk to Top Cybersecurity Concerns. Respondents listed brand damage, breach cleanup costs and theft of corporate intellectual property — leading to loss of competitive advantage — as their top three cybersecurity worries.
• Gain Visibility Into Third-Party Risk. More than 70 percent of respondents reported having significant concerns about the risk posed by third-part software in their supply chains.
• Use Risk Metrics. When asked how they would like cybersecurity information to be presented, nearly two-thirds of respondents indicated a strong preference for either risk metrics or high-level strategy descriptions rather than descriptions of security technologies.
• Demonstrate Business and Communications Skills. In addition to technical skills and experience, respondents listed business acumen and strong communication skills as the top three qualities that strong CISOs should possess.
• Encourage Shared Responsibility. After a breach, board members said they are more likely to hold the CEO accountable — signaling a shift away from putting the onus squarely on the CISO.

“CISOs should leverage the momentum created by the board’s increased focus on cybersecurity to build consensus and support around what it takes to reduce risk for the business, across people, process and technology,” said Chris Wysopal, Veracode co-founder and CISO. “There will be bumps in the road for everyone involved, especially now that the board is becoming an active participant in what was once a deeply technical domain. This requires CISOs to expand their skillset and get comfortable describing cyber risk relative to other business priorities and board-level concerns.”

The joint NYSE-Veracode white paper with more detailed statistics and conclusions from the survey can be found at https://info.veracode.com/whitepaper-cybersecurity-in-the-boardroom.html.  An infographic based on the findings can also be downloaded here http://vera.cd/nyse-survey

Methodology

The NYSE-Veracode “Cybersecurity in the Boardroom” survey was conducted electronically over the course of four weeks in March and April 2015.  All of the nearly 200 respondents are board directors of public companies, with 78 percent serving on one to three executive boards.

[1]ISACA, 2015, http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415...