Australian board members lag behind cybersecurity maturity
Australian board members significantly lag behind global counterparts in cybersecurity maturity, according to a new report from Proofpoint.
Proofpoint has released its Cybersecurity: The 2022 Board Perspective report, which explores board of directors’ perceptions about their key challenges and risks.
Of the 600 board members across 12 countries surveyed globally, key Australian findings reveal only 58% of Australian board members see cybersecurity as a top priority – the least of all 12 countries surveyed (global average 77%).
The report found just 54% of Australian board members are confident in their board's understanding of systemic risks from cyber threats – the second lowest at 11th place of all countries surveyed (global average 75%), and 72% feel that they’ve made adequate investments in cybersecurity.
Half of Australian boards agree that organisations should be required to report a material cyber attack to regulators within a reasonable timeframe – the lowest of all 12 countries surveyed (global average 80%), whilst 34% disagree (highest of all countries).
According to the report, just over half (56%) of Australian boards discuss cybersecurity at least monthly – compared to 76% of boards globally. Only 66% of Australian boards expect an increase in their cybersecurity budget in the next 12 months, the lowest of any market surveyed (global average 87%). In addition, 22% expected budgets to go down, compared to the global average of 5%.
The Cybersecurity: The 2022 Board Perspective report examines global, third-party survey responses from 600 board members at organisations with 5,000 or more employees from different industries. In August 2022, 50 board directors were interviewed in each market across 12 countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico.
The report explores three key areas: the cyber threats and risks boards face, their level of preparedness to combat those threats, and their alignment with CISOs based on the CISO sentiments Proofpoint uncovered in its 2022 Voice of the CISO report. We found a disconnect between the two sides in cyber risks, consequences, and threats.
“It is encouraging to see that cybersecurity is finally a focus of conversations across boardrooms. However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organisations for material cyberattacks,” says Lucia Milic, Vice President and Global Resident CISO at Proofpoint.
“One of the ways boards can boost preparedness is by getting on the same page with their CISOs. The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organisational success.”
Proofpoint and CAMS’ Cybersecurity: The 2022 Board Perspective report highlights global trends, along with industry and regional differences among organisational leaders.
The report there is a disconnect between the boardroom and CISOs when evaluating the risk posed by today’s sophisticated cybercriminals: 52% of Australian board members believe that their organisation is at risk of material cyberattack in the next 12 months, compared to 68% of CISOs.
Board members and CISOs have similar concerns about the threats they face, with board members in Australia ranking email fraud/business email compromise (BEC) as their top concern (44%), followed by supply chain attacks (32%), and cloud account compromise (28%). CISOs ranked insider threat, email fraud/BEC, and supply chain attacks as their top concerns.
Awareness and funding do not translate into preparedness, the report revealed, with 72% of Australian respondents think they have invested adequately in cybersecurity and 66% believe their data is adequately protected. However, 34% still view their organisation as unprepared to cope with a cyberattack in the next 12 months.
Meanwhile, board members agree with CISOs about the most important consequences of a cyber incident. Significant downtime is at the top of the list of concerns for Australian boards (42%), followed by internal data becoming public (30%) and disruption to operations (30%). These concerns are similar to those of Australian CISOs, who are also worried about significant downtime and disruption of operations, along with impact on business valuations. This differs globally, where boards are most concerned about internal data becoming public (37%) followed by reputational damage (34%) and revenue loss (33%).
High employee awareness doesn’t protect against human error, the report says. Although 62% of those surveyed believe their employees understand their role in protecting the organisation against threats, 60% of Australian board members believe human error is their biggest cyber vulnerability – despite the World Economic Forum finding that this risk leads to 95% of all cybersecurity incidents.
The report says the relationship between boards and CISOs has room for improvement. In Australia, 63% of board members report seeing eye-to-eye with their CISO and 58% of CISOs feel the same.
“Board members play a key role in their organisations’ cybersecurity culture and cybersecurity posture. Board members have fiduciary and oversight responsibility for their organisations; therefore, they must understand the cybersecurity threats their organisations face and the strategy their organisations take to be cyber resilient,” says Dr. Keri Pearlson, executive director at Cybersecurity at MIT Sloan (CAMS).
“Board members need to look for ways to make CISOs their strategic partners. With cybersecurity risk front and centre on boardroom agendas, a better alignment of CISOs’ and boards’ cybersecurity priorities will only serve to improve their organisations’ protection and resilience.”