Boards are grasping cyber threats, but CISOs still feel underprepared

A new report that looks at the cybersecurity posture of boardrooms – and examines the level of communication and collaboration between boards and hospital chief information security officers – shows a closer alignment between boards and their infosec leaders. But it shows that there is still work to be done to achieve a unified response to cyber threats.


Proofpoints second annual Governance Perspective Reportpublished on September 6, examines three key areas: the cybersecurity threats and risks that boardrooms face, their level of preparedness to defend against these threats and their alignment with CISOs – based on the sentiments revealed have appeared in the company reports. Voice of the CISO report released earlier this year.

To assess board perspectives, Proofpoint researchers examined responses to surveys conducted in June among 659 board members at organizations with 5,000 or more employees across industries, including healthcare.

More than 50 board members in each of the countries – the US, Canada, Great Britain, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil and Mexico – participated.

Board members cited concerns about continued volatility, including ongoing geopolitical tensions and an increase in ransomware attacks.

While 73% said they consider cybersecurity a priority, 72% said they believe their boards have a clear understanding of the cyber risks facing their organizations, and 70% said they believe they have made adequate investments in cybersecurity .

However, the awareness and investments did not translate into satisfactory preparation, according to the board members interviewed.

The researchers say there is a paradox, as 84% ​​of responding board members believed their cybersecurity budgets would increase over the next 12 months, while 53% still believe their organization is unprepared to face the year ahead. to cope with a cyber attack.

The report discusses several other key findings, the most important of which is a benchmark for improving CISO interactions and relationships with boards.

More than half of executives (53%) said they had regular contact with security leaders, up from 6% who indicated a good CISO-C-suite connection last year. In early February, CISOs saw a similar increase in their reporting on improved relationships with the C-suite.

Board members and CISOs were also found to have similar concerns, with malware ranked as their top concern (40%), followed by insider threats (36%) and cloud account compromise (36%).

However, they report more confidence in the organization’s capabilities to protect data than CISOs: 75% compared to 60% of CISOs surveyed about their confidence earlier this year.

Researchers say some findings from their comparison of board and CISO cybersecurity thinking could be more concerning in 2023 when it comes to third-party attacks.

“Despite a marked increase in supply chain attacks, only 26% of board members cited the threat as a top concern,” they said. That could also be related to the previous findings.

“This may be partly explained by the recent finding in the 2023 Voice of the CISO report that 64% of CISOs believed their organization had the right controls in place to mitigate supply chain risks,” researchers said.

They also cited victims of attacks that exploited MOVEit’s vulnerabilities in the report, saying “there is no room for complacency” as total supply chain attacks are on track to cost nearly $46 billion by the end of 2023 and more than $80 billion by 2026.

With 72% of directors expressing concerns about their personal liability following a cybersecurity incident, it is not surprising that board members listed larger cybersecurity and infosec budgets, additional cyber resources and better threat intelligence as top items on their wish lists, according to the survey. .

The rise of artificial intelligence has also reinforced board members’ intuition that new technologies in the hands of the masses pose greater risk to their organizations. 59% of respondents cite generative AI as a security risk for their organization.

Board members from Japan, Singapore and Australia said they are most concerned about generative AI, according to the Proofpoint report.

“As it stands now, the biggest threat from tools like ChatGPT is employees uploading sensitive content to assist with research or report writing,” researchers noted.

“But there are undoubtedly bigger problems on the horizon. Cybercriminals are already using AI to reduce the time-consuming aspects of phishing and finding and exploiting vulnerabilities. AI also allows people with limited technical knowledge to improve their cyber attacks,” she added.


In recent years, healthcare systems have often seen boards react too slowly or fail to invest in security preparedness at a level commensurate with the cyber threat to hospitals and healthcare systems.

But John Riggi, national advisor on cybersecurity and risk for the American Hospital Association — who will deliver the opening keynote at the HIMSS Healthcare Cybersecurity Forum in Boston on September 7 — says that has changed in recent years as the scale of the problem has become clear . .

“It has become crystal clear to hospital leaders on the boards, at least those I speak to, that cyber risk is truly an enterprise risk problem,” Riggi said. “It has consequences for every function in the organization. But most importantly, it is a risk to patient safety.

“Every CEO I speak to considers cyber risk as their number one or two risk issue,” he added. “And they’re definitely trying to strengthen their defenses by adding more cyber budget, by adding more technology and by really trying to mature their cybersecurity programs in general.”

CISOs had disclosed challenges, priorities and expectations to Proofpoint during their survey in early February. They responded to questions about their experiences over the past year and their prospects for the years ahead, prompting Lucia Milica Stacy, Proofpoint’s global CISO, to cite the pressures of the global recession on security budgets.

“CISOs must remain steadfast in pressing the C-suite for critical controls to protect their organizations,” she advised in the Voice of the CISO report.


“The new alignment between board members and their CISOs on cyber risk and preparedness is a positive sign that the two parties are working more closely together and making progress,” Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said in a statement.

“However, this growing alliance has not yet resulted in significant changes in the cybersecurity posture, despite boards feeling good about the time and resources they are investing to combat this risk.”

The HIMSS Healthcare Cybersecurity Forum kicks off on Thursday, September 7 and runs through Friday, September 8 in Boston.

Andrea Fox is editor-in-chief of Healthcare IT News.

Healthcare IT News is a HIMSS Media publication.