By 2025, 40 per cent of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10 per cent today, according to Gartner.
The rapid expansion of digital technologies last year – and subsequent cyber risk – amid social distancing restrictions is producing several organisational changes, according to the analyst firm which polled boards last year to better understand the shifts.
The cost of cybersecurity failure is often poorly understood. The Warwick Business School at the University of Warwick in the UK has studied the long term impact of cybersecurity breaches on companies. As is to be expected the share value and the liquidity of the firms dropped significantly on the day of the breach and in the days afterward, however, the effect dissipated quickly. But there was more lasting and long term damage that often goes unnoticed.
For instance, dividends were lower and R&D suffered when viewed over a 5-year time frame, likely because funding was diverted to everything from greater investments in security hardening programs to try to remediate problems, to brand rebuilding and media management.
The report, called Cyber Attacks and Stock Market Activity, authored by Dr Daniele Bianchi and Dr Onur Tosun, analysed data breaches at 41 publicly listed companies in the US between 2004 and 2016.
Describing their paper, the authors noted, “As a matter of fact, the knock-on effect of a data breach can substantially affect a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affect firms’ policies and ultimately revenues and profits. For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions.”
A seat at the table
According to the new Gartner 2021 Board of Directors Survey, cyber is now seen as the second-biggest source of risk for the enterprise, following only regulatory compliance risk.
Four in five APAC organisations reported one or more significant cyberattacks in the last year, according to recent research from cyber vendor Trend Micro. Nearly one in five experienced seven or more attacks.
Gartner says the growing risk is increasingly receiving the attention it deserves at the board level.
“To ensure that cyber risk receives the attention it deserves, many boards of directors are forming dedicated committees that allow for discussion of cybersecurity matters in a confidential environment, led by someone deemed suitably qualified,” said Sam Olyaei, research director at Gartner.
“This change in governance and oversight is likely to impact the relationship between the board and the chief information security officer (CISO).”
While the board’s involvement will bring greater scrutiny to CISOs it should also bring more resources and support, according to Gartner.
The number of CISOs with key relationships has with other top executives is expected to triple to 60 per cent by 2024.
“Effective CISOs realize that heads of sales, marketing and business unit leaders are now key partners as the use of technology and, subsequently, the incurrence of risk happens outside of IT,” said Gartner’s Olyaei.
To mitigate the growing cyber risk, Gartner says, leaders should break down the siloed nature of security disciplines and expand the “IT-centric” focus of most security teams.