A survey of 654 board of directors conducted by PwC finds well over a third (38 percent) of respondents have consulted third-party experts to increase efforts in becoming more aware of cybersecurity threats. In addition, nearly three-quarters (64 percent) have increased the amount of time spent on discussing cybersecurity during the board agenda. In addition, 46 percent reported they have spent time studying cybersecurity issues, the survey finds.
MSSPs should have more high-level conversations
A board member of a company isn’t going to sign a contract for managed security services, but they do exercise a lot of influence. As a result, managed security service providers (MSSPs) would be well advised to spend some time identifying board members that are in the wake of new rules that are about to be enforced by the Securities and Exchange Commission (SEC).
The challenge is that while board members are inclined to trust the internal cybersecurity and IT teams that work for an organization, there is also going to be a sense of persistent doubt. At the very least, any responsible member of a board is going to look for some validation from a trusted third party. Unfortunately, the PwC survey makes it clear that directors have a long way to go before they really understand which questions they should be asking.
A full 87 percent said the pre-read cybersecurity materials and presentations provided by management teams are effective. However, only roughly half have examined incident readiness plan testing results (56 percent), cybersecurity program maturity assessments (53 percent) or third-party risk assessments (50 percent). More telling still, only just over a third (35 percent) have increased the number of meetings they are having with chief information security officers (CISOs), the PwC survey finds.
As organizations are increasingly held more accountable for the state of cybersecurity with their own organizations, senior business leaders are going to change the way they view it. Cybersecurity has always been an issue, but the potential rewards for launching a new application or digital service have always outweighed the risks. That equation is not likely to change any time soon, but it’s clear that regulatory bodies around the world are going to make ignored cybersecurity risks more costly. That shift creates a unique moment in time for MSSPs to elevate conversations with clients that for the most part have tended to focus on tactics rather than strategy.
Of course, it takes time and patience to gain the confidence of senior business leaders. The one thing that MSSPs should do to remember this is that most directors don’t necessarily want to admit how much they don’t know about a business that they are being paid to provide oversight to in the name of protecting shareholders. The more casual the education process is the more comfortable a director is likely to be when it comes to learning. As such, a luncheon with peers is likely to be a lot more effective way for an MSSP to gain influence than, for example, a webinar.
Regardless of the approach, there’s a new constituency in the process for contracting security services that MSSPs should not ignore.
Photo: insta_photos / Shutterstock