Beyond the hype and hysteria in the press about cyber security threats, board members and senior executives are genuinely interested in the IT risks they currently face.
This growing interest in IT risk is currently being driven by four consistent themes that we experience in our daily client interactions at Gartner.
1. Lack of understanding
Chief Information Officers and Chief Information Security Officers at many companies are just now beginning to have regular interactions with board members about IT risk.
However, even when these interactions are happening, they are often missing the mark because the IT risks are not presented in a business context that offer board members an opportunity to decide and act.
In our recent Global Risk Management Survey, we discovered that less than 35% of companies surveyed are integrating risk and performance data to influence IT and business unit decision making (see graphic below).
2. Increasing pressure to disclose technology risks
Market and industry regulators are pressing companies to be much more transparent in the disclosure of the technology risks they face.
For example, the U.S. Securities and Exchange Commission issued guidance in 2011 that instructs public companies to disclose the following:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences
- Risks related to cyber incidents that may remain undetected for an extended period
- Description of relevant insurance coverage