Close this search box.
Close this search box.

Report: Boards Typically Updated On Cybersecurity Only After An Incident

© AdobeStock
If management executives, the board and the IT teams aren’t sharing the same information, it will be nearly impossible for companies to stay ahead of fast-evolving cyber threats.

A recent report from the Ponemon Institute suggests that boards of directors may need to improve communication with IT teams in order to protect against growing cyber-attacks on industrial controls systems (ICS) and operational technology (OT) environments. In fact, some may only be updated on cybersecurity matters when a security lapse occurs.

According to the report, many companies are not addressing the fact that different governance controls and procedures are required to safeguard different areas of the company. Boards should work to ensure that they understand the expanding scope of cyber risk, and that there is a comprehensive cybersecurity strategy in place with clearly defines the roles for the IT team, management executives and corporate directors.

The report said that 63 percent of the 603 survey respondents’ organizations had experienced an ICS or OT cybersecurity incident within the last two years, yet only 35 percent had implemented a unified security strategy program to secure both the IT (industrial) and OT (operational) environments of the company.

Additionally, the report found that C-suite executives and the board of directors are not regularly informed about the efficiency, effectiveness and security of their cybersecurity program. Only 35 percent of respondents said that someone responsible for ICS and OT cybersecurity reports information about IT and cybersecurity initiatives to the board. And of those, 41 percent said that they only received cybersecurity updates when a security incident occurs. If management executives, the board and the IT teams aren’t sharing the same information, it will be nearly impossible for companies to stay ahead of fast-evolving cyber threats. To combat this risk, boards should consider:

• Conduct a comprehensive review of the cybersecurity measures currently being implemented by all IT teams. The board and the management team must understand what is currently in place in order to determine if the company has adequate cybersecurity. If the board does not have a true cybersecurity expert among its ranks to oversee a review of all security systems, it may be necessary to bring in an outside consultant to determine where vulnerabilities are and how they can best be mitigated.

This comprehensive review should also be used as an opportunity to educate the board and management teams about the interaction between all those responsible for the industrial control systems (ICS) and operational technology (OT) systems of the company. The report authors make it clear that there are “fundamental differences between the problems and goals of a corporate IT environment—data safety and security—and industrial environments, where human health and safety, loss of physical production and facility shutdowns are real risks.” Effective cybersecurity measures will account for those differences and create clearly defined roles for industrial and operational team members, management executives and board members to follow if a cyber incident occurs. According to the report, only 48 percent of respondents said their organization understands cyber risks and have specific security processes and policies for OT and ICS environments.

A comprehensive review of cybersecurity measures will also allow the board and management to allocate an appropriate budget for security programs. A clear picture of what is currently being spent on security and what new risks the company faces will give the board enough information to determine what level of resources will be needed to protect the company’s industrial and operational systems.

• Create a cybersecurity or IT committee that reports to the board or appoint a cybersecurity expert to the board. Cybersecurity will continue to be an ongoing threat to all companies in all industries, so someone should be appointed to monitor these threats and keep the board and management team informed about strategies that can protect against security-related disruptions. A committee of IT executives that is responsible for cybersecurity measures and reports to the board may work for some companies, while having a board member with extensive cybersecurity experience who can suggest effective security procedures and evolving safety measures may also be effective.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.