A lack of information sharing between information security bosses and the board is hampering efforts to manage cybersecurity risk, according to a new report from KPMG.
The consultancy studied FTSE 350 companies as part of the government-backed Cyber Governance Healthcheck initiative designed to appraise levels of cybersecurity awareness and preparedness across UK firms.
Disappointingly it found that a quarter of boardroom respondents never receive high level updates from CIOs or security chiefs on what online risks they’re facing.
There also appears to be confusion around who should be responsible for cybersecurity in an organization.
Some 16% said the CEO should take responsibility, while 31% claimed the CFO should be in charge, and a further 15% said the CIO should have a leadership role.
Despite this, the majority of respondents believed their company was taking information security seriously.
Nearly two-thirds (61%) of board members said they had a a good understanding of their firm’s key data assets and 55% said they understood the impact of losing it.
However, only a quarter (24%) said they regularly reviewed risk management around valuable corporate data and 65% admitted they rarely or never did, the survey found.
Malcolm Marshall, global leader of KPMG’s cybersecurity practice, told Infosecurity that the CSO needs to lead on a day-to-day basis, but at an executive level it’s more likely that the CIO or CFO are in charge.
“The right choice depends as much on the caliber, experience and influence of the individual as the job title – a business and risk orientated CIO is a good choice, but a CIO who is effectively just a head of IT is less likely to be a good champion,” he argued.
“The closest you can get to a fix is deeper and better informed board engagement. One good example is a financial services business where the full board reviews security incidents every quarter – this gives them an insight into the challenges and makes their decisions about prioritization of spend much more effective.”
The study also found a significant increase in the number of FTSE 350 firms carrying out due diligence on third party providers before signing contracts, with nearly half (44%) saying they do so – up from just 7% last year.
Some 48% said they had inserted clauses in their contracts on cybersecurity risk, up from a third in 2014.
However, relying on legal clauses doesn’t prevent firms’ supply chains from making information security errors, even if it sometimes provides “a precarious safety net,” Marshall argued.
“It is much better to engage your supply chain in a constructive approach to improving security together. Some big organizations educate their smaller supplier in improving security and have seconded security staff to them to help them implement changes,” he added.