Nick Wilding noted, in response to new research with FTSE 350 companies, that while an increasing number of board members are now taking the risk of a cyber attack more seriously, it remains a concern that more than two-thirds of boards receive very little insight or only some cyber risk management information.
Mr Wilding was responding to a new report from HM Government which shows that 70% of the FTSE 350 companies surveyed still view cyber as low or medium risk compared to all the risks they face.
The latest FTSE 350 ‘Cyber Governance Health Check Tracker Report’ issued by the Department for Business, Innovation and Skills (BIS) on 16 January, found that although improvements had been made in recognizing and addressing cyber risk there still appears to be much to do before boards can say they are managing one of their key risks effectively.
The research carried out with Non-executive Directors, CFO’s and Chairs of the Main Board of FTSE 350 companies reported some positive signs: 88% of companies now include cyber risk in their risk register and 92% of boards have a clear understanding of the value of their companies’ critical information. It also appears that the right people are getting involved, with the executive board, audit committee and the IT/Security board reported as the most commonly identified governance groups where cyber risk events were considered.
Mr Wilding said: "While it is encouraging that cyber risk now appears to be higher on the board agenda, many companies continue to struggle to understand what good really looks like. It’s concerning to see that over 75% do not or only loosely explicitly set its appetite for cyber risk, both for existing business and for new digital innovations. Furthermore over 70% still view cyber as low or medium risk compared to all the risks they face.
“Unless a company board has had to deal with a critical cyber risk or crisis it is very difficult to properly understand the full impact such an incident can have. Having the necessary best practice and intelligence at your fingertips is crucial in planning for resilience or to responding effectively to a crisis. It’s therefore worrying to read that over 70% of company boards reported that they received very little insight or only some cyber risk management information.
“More and more companies acknowledge that their biggest risk is their people – we all have the potential to be the weakest link in any security chain. In the future it would be good for the FTSE 350 survey to include questions that assess the boards understanding of how they are tackling their people risk – from the boardroom down.”
AXELOS was formed in 2013 to promote and grow the Best Management Practice portfolio, including ITIL® and PRINCE2®, the most widely adopted frameworks for IT Service Management and Project Management. A new Cyber Resilience Best Practice portfolio will be launched in mid-2015.