skip to main content
Close Icon

In order to deliver a personalized, responsive service and to improve the site, we remember and store information about how you use it. This is done using simple text files called cookies which sit on your computer. By continuing to use this site and access its features, you are consenting to our use of cookies. To find out more about the way Informa uses cookies please go to our Cookie Policy page.

Global Search Configuration

Straight Talk IT

Ovum view

Security professionals know that cyber-attacks will invariably penetrate their organizations, and that appropriate cybersecurity strategies must focus on detection, damage limitation, and remediation. Ensuring that such a strategy is in place, and closely monitoring the response of the organization to cyber-threats, is a board-level responsibility, and though it now registers higher on the priority list for senior executives, I believe the time has come for regulation as part of corporate governance to ensure that every company is taking sufficient action.

The level of cyber-risk has reached a point where it represents a continuous threat to the health of the organization, and board members must understand the potential impact of attacks on the company in areas including its operations (both physical and online), staff, reputation, and financial standing. There must be a close relationship with the chief information security officer (CISO) or their equivalent, with regular communication on investment in security defenses, the response plans that are in place, security awareness and training, the current level of threat, and details of significant incidents.

There is no doubt that boards are now taking these issues more seriously, driven in large part by regular and repeated evidence of cyber-attacks and their consequences. In the US, the SEC commissioner noted that boards of the largest enterprises are almost all now taking responsibility for oversight of cyber-risk management; in the UK there has been strengthened guidance from government to boards on these issues; and in many countries there is increased transparency and sharing of security intelligence.

However, when a significant cyber-attack does get through, it is rather akin to a baring of the corporate soul (particularly now that the reporting of these incidents is mandated), and it's clear from the majority of such cases that there continue to be major failings in both the state of readiness and the plan for response.

Handling of cybersecurity matters is delegated to the audit committee in some enterprises, or to a specialist subcommittee in others, but ultimate responsibility lies with the main board and its directors. I believe it is now time for the board to publish a more formal summary of its cyber-risk preparations and oversight, as part of its annual reporting. This should demonstrate that the board has considered the range of risks and their possible consequences, has ensured that there are sufficient expert resources and capability investment to address these risks, and is undertaking regular reviews of the risk landscape and testing the organization's readiness to respond.

While it is certainly no panacea against cybersecurity incidents, such regulation should encourage organizations to follow good practice in their cybersecurity preparation and give stakeholders greater visibility and assurance into what is potentially the greatest risk that faces every enterprise.

Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.

Have any questions? Speak to a Specialist

Europe, Middle East & Africa team - +44 (0) 207 017 7700


Asia-Pacific team - +61 (0)3 960 16700

US team - +1 646 957 8878

+44 (0) 207 551 9047 - Operational from 09.00 - 17.00 UK time

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Call us at +44 7770704398 or email us at pr@ovum.com

Contact marketing - marketingdepartment@ovum.com

Already an Ovum client? Login to the Knowledge Center now