The ever-expanding liability for an organization’s cyber security now goes well beyond IT to include the entire c-suite and even the board. But being liable and knowing what to do in the face of that liability are two different things.

A recent report by WomenCorporateDirectors and Marsh & McLennan provides a good snapshot of how businesses are addressing cybersecurity issues. Some findings:

  1. More than a third of directors at US public companies said they now discuss cybersecurity at every board meeting.
  2. Most boards have only one director serving as the tech or cyber expert.
  3. A third of organizations said they do not assess the cybersecurity risk of suppliers and vendors.
  4. Less than one third of companies have a cyber response plan. Meanwhile, however, a survey by the National Association of Corporate Directors (NACD) indicates that about 40% of boards that do have a cyber response plan have not reviewed it during the past 12 months.
  5. Tech executives and the board have a communications disconnect: 45% of risk and technology executives said they send information on; but only 18% of directors said they receive such information.

The takeaway seems to be that businesses now get the concept of cyber risk but they’re still not really equipped to deal with it.

For the c-suite and board to be effective in terms of protecting the business, they need to be clear about what it takes to maintain a good cybersecurity practice. And, just as necessary is to understand that a cybersecurity plan is useless if it’s not constantly refreshed.

For some guidance, download and read about cybersecurity fundamentals for executives.