IT security professionals–the CIOs, CTOs, and CISOs of the world–are generally responsible for implementing and managing security in the trenches. In many organizations, though, its the board that oversees security governance and makes decisions regarding security purchases and policies. A new study from the Ponemon Institute and Fidelis Cybersecurity found a disturbing gap in knowledge between the two groups that makes effective cybersecurity difficult–if not impossible.
I wrote this blog post about the study:
A new survey from the Ponemon Institute and Fidelis Cybersecurity highlights some concerning data about the state of cybersecurity. Defining the Gap: The Cybersecurity Governance Survey shares the results of the study and finds a disturbing rift in cybersecurity knowledge between those who make decisions and manage the budgets and those who have to implement and manage the security measures.
Ponemon surveyed more than 650 board members and IT security professionals (CIOs, CTOs, CISOs, and others) to get perspective on the level of cybersecurity knowledge and involvement by board members. The board members are ultimately responsible for governance of cybersecurity efforts, but many seem to lack the basic knowledge necessary to make informed decisions when it comes to managing the cybersecurity posture for the organization.
A press release from Fidelis explains, “Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur. Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.”
· Lack of Critical Cybersecurity Knowledge at the Top
76 percent of those surveyed indicated that boards review or approve security strategy and incident response plans. However only 41 percent of board members claim to have expertise in cybersecurity and another 26 percent said they have minimal or no knowledge of cybersecurity.
You can read the full story on CSOOnline.com: Gap in cybersecurity knowledge creates challenges for organizations.