A recent survey by AttackIQ and Ponemon Institute found that in most companies, the board of directors and the C-suite is not actively involved in the firm’s cybersecurity efforts. 63% of the questioned IT and IT security professionals indicated that the IT security decision makers in their organization do not regularly report to the board and 40% said that such reporting never occurs. In 14% of firms, IT security leaders only report to the board in the wake of a security incident.
In a mere 28% of companies the acceptable level of cyber risk is ultimately determined by the board and CEO. In line with this, more than two in three (69%) respondents said that their company generally takes a reactive, incident-driven approach toward cybersecurity. Larry Ponemon of the Ponemon Institute said the findings are worrisome because “enterprise culture is formed at the top. If enterprise leaders are not actively engaged in ensuring a strong cybersecurity posture, it sends the message that cybersecurity is not a mission critical issue.”