On a quest in 2016 to understand better how company boards of directors view security, cyber-risk analytics firm Bay Dynamics released its third report this year on board perceptions. Aimed at discovering what's driving boards of directors to make cyber-security a top priority, the study found that compliance with regulations was the key reason.
Among the key findings in the report is that 30 percent of respondents indicated that cyber-risk is considered a high priority. A key number to track is the change in percentage of board members who rate cyber-security as a low priority: a sharp drop from 48 percent in 2014 to 14 percent in 2016, said Ryan Stolte, co-founder and CTO at Bay Dynamics.
Overall, Stolte told eWEEK he was surprised about how the story unfolded. "First we confirmed that there was a significant change in the perception at the board level. Then, when it came to the 'why' factor, I was pleasantly surprised to find out that it wasn't due to high-profile breaches in the news, but instead, it was due to complying with regulatory requirements."
Bay Dynamics' first report on board security perceptions was released in February and examined the security information given to boards. The second report, released in June, determined that cyber-risks were the highest priority for the majority of board members surveyed. The new report is based on responses in 126 surveys completed by board members that received information on their company's cyber-security programs
"This new report went one step further asking board members why they are putting cyber-security at the top of the priority list," Stolte said. "One would assume it's due to the regular barrage of high-profile data breaches, but as this new survey shows, the main driver is complying with regulatory requirements, which, as the survey also shows, board members say is becoming increasingly difficult."
Stolte said he was uplifted to see that boards are taking regulations and frameworks seriously and attempting to implement them, versus solely being driven by fear. Board members are in tune with the impact of compliance and that's a positive finding, he said.
According to the study, 46 percent of surveyed board members view regulations as very sufficient in helping protect corporate data assets. Those regulations include the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act for data retention and disclosure.
Meeting various cyber-security regulations, however, is becoming increasingly difficult, with 58 percent of respondents stating that it is either "somewhat" or "very" challenging to satisfy cyber-security mandates.
Additionally, cyber-security isn't seen as a purely technical issue by boards; 67 percent of respondents indicated that cyber-security is a problem that is evenly balanced between being a business risk issue and a technical issue, the study found.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.