1、Board director views on the global threat landscape,cybersecurity priorities and CISO relationsCybersecurity:The 2022 Board PerspectiveREPORTTable of ContentsCybersecurity From the Top:The Board Perspective 4Section 1:A boards-eye view of the threat landscape 5Section 2:Cybersecurity posture and the

2、 boardroom 10Section 3:Examining the CISOs relationship with the boardroom 13Conclusion:Actionable Insights for Board Members 16Methodology 172CYBERSECURITY:THE 2022 BOARD PERSPECTIVECYBERSECURITY:THE 2022 BOARD PERSPECTIVEProofpointCybersecurity at MIT Sloan(CAMS)Proofpoint,Inc.is a leading cyberse

3、curity and compliance company that protects organizations greatest assets and biggest risks:their people.With an integrated suite of cloud-based solutions,Proofpoint helps companies around the world stop targeted threats,safeguard their data make their users more resilient against cyber attacks.Lead

4、ing organizations of all sizes,including 75 percent of the Fortune 100,rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email,the cloud,social media and the web.More information is available at .Cybersecurity at MIT Sloan(CAMS)is

5、an interdisciplinary research consortium headquartered in the Sloan School of Management at MIT.In collaboration with researchers from departments around MIT and beyond,CAMS addresses the important need to improve the cybersecurity of all organizations through an interdisciplinary research approach

6、focused on the strategic,managerial and operational issues related to cybersecurity.CAMS brings together thought leaders from industry and government with MIT faculty,researchers and students.The research consortium delivers its findings and actionable insights through published research papers,high

7、-impact managerial outlets and a variety of meetings,workshops,conferences and educational activities.Find CAMS research in Harvard Business Review,Sloan Management Review,The Wall Street Journal,The New York Times and many other publications.Members of CAMS,whose support funds the research and who

8、have first access to the findings,include companies from many different industries including financial services,energy,chemicals,healthcare,industrial automation,manufacturing,information services,natural gas,utilities and more.Please visit us at https:/cams.mit.edu.3CYBERSECURITY:THE 2022 BOARD PER

9、SPECTIVECYBERSECURITY:THE 2022 BOARD PERSPECTIVECybersecurity From the Top:The Board PerspectiveNot long ago,few boards of directors knew much about cybersecurity risks,let alone took an active interest in the topic.That mindset has changed dramatically in recent years.But as this report shows,we st

10、ill have some way to go.Overall,board members are confident they understand the threat landscape,prioritize cybersecurity appropriately and have invested enough to keep their organizations safe.Still,in light of rising rates of cyber attacks and differing and sometimes conflicting opinions among CIS

11、Os,this optimism may be misplaced.Bridging the disconnect is vital.CISOs and the wider board need open lines of communication.But often,boards are relentlessly focused on the bottom line and CISOs mired in technical language.Over time,effective business-first communication gives way to muddled perce

12、ptions and misaligned priorities.At a time when we are more connected and digitally reliant than ever,this board-CISO relationship has never been more important.It has also never been more challenging.To protect people,defend data and ensure continued organizational success,CISOs must communicate ef

13、fectively with their boards.That means putting threats in perspective,fostering collaboration and driving accountability.At the same time,board members need to work to understand how cybersecurity risks can affect their organizations business goals.To explore the situation further,Proofpoint commiss

14、ioned a survey of 600 board members at organizations with 5,000 or more employees across 12 countries:the U.K.,the U.S.,Canada,France,Germany,Italy,Spain,Australia,Singapore,Japan,Brazil and Mexico.Working with researchers at MIT Sloans research consortium,Cybersecurity at MIT Sloan(CAMS)1,we analyz

15、ed the responses and summarized the insights.We also compared some of the results to corresponding findings from our recent Voice of the CISO Report.We hope these insights help shine a light on how well CISOs and the wider board understand each other.This report would not have been possible without

16、the participation of board members around the globe as well as our coauthors and research partners at CAMS.Thank you for your valuable support,insights and feedback.Lucia Milica,Global Resident CISO at Proofpoint4CYBERSECURITY:THE 2022 BOARD PERSPECTIVE1 https:/cams.mit.edu/CYBERSECURITY:THE 2022 BO

17、ARD PERSPECTIVE5Section 1:A boards-eye view of the threat landscape Like any effective cybersecurity strategy,investigating the board perspective must start by assessing the threat landscape.Just under two-thirds of board members believe that their organization is at risk of a material cyber attack.

18、This figure drops to 23%for those who believe the risk is very likely.These figures suggest a boardroom that is at least somewhat aware of the risk posed by todays sophisticated cyber criminals.But we see a worrying disconnect when we compare these results with our 2022 Voice of the CISO Report(VOTC

19、).Asked the same question earlier this year,just under half of CISOs felt they were likely to experience a material cyber attack within the next year,and 14%rated the risk as very likely.This disconnect held true around the world,with boards in many countries out of step with their corresponding CIS

20、Os.U.S.FranceU.K.JapanGermanySpainSingaporeItalyBrazilAustraliaCanadaMexico78%78%76%72%70%68%66%60%58%52%50%50%34%80%60%38%40%31%64%46%68%72%BoardCISON/A*N/A*Global 65%Global 48%Percentage of board members and CISOs who agree that their organization is at risk of a material cyber attack in the next

21、12 months.Significant discrepancies emerged within industry sub-sectors,too.Board members in the financial services(73%),IT(73%)and manufacturing(70%)sectors believe they are at a higher level of risk than do their CISOs,who agreed 45%,56%and 54%,respectively.That board members and CISOs are not on

22、the same page when it comes to risk may not be surprising,but it is certainly very telling.Most CISOs know too well the difficulties of obtaining buy-in for cybersecurity projects.This difference in perceived threat levels is a significant barrier to the united front that is essential for a successf

23、ul cybersecurity defense.“Board members have fiduciary and oversight responsibility for their organizations;therefore,they must understand the cybersecurity threats their organizations face and the strategy their organizations take to be cyber resilient.By virtue of their role in the organization,bo

24、ard members can have tremendous impact on cybersecurity posture,and our report illustrates that they take this responsibility seriously.”Dr.Keri Pearlson,Executive Director,Cybersecurity at MIT Sloan(CAMS)*Brazil and Mexico were not surveyed in the 2022 Voice of the CISO report.CYBERSECURITY:THE 202

25、2 BOARD PERSPECTIVE6Email fraud(Business Email Compromise)41%30%Cloud Account Compromise(Microsoft 365,Google Workspace or other)37%30%Ransomware attacks32%28%Supply chain attacks31%27%Distributed Denial of Service(DDoS)attack30%30%Malware30%29%Insider threat(negligent,accidental or criminal)28%31%2

26、2%28%Smishing/VishingBoardCISOUnderstanding threat actors There are positives to take from board awareness of cyber attacks more generally.But it matters little if the C-suite does not also understand from where these attacks are likely to originate.That said,there is cause for optimism;board member

27、s and CISOs agree on the top concerns.Surveyed board members rate email fraud and business email compromise(BEC)as their top concern(41%),followed by cloud account compromise(37%)and ransomware(32%).This tracks closely with the concerns of CISOs,who also rank email fraud/BEC and cloud account compro

28、mise as top concerns(along with insider threats and DDoS attacks).Notably,board members and CISOs do diverge in one important area:insider threats were not a top concern for boards,but the No.1 concern for CISOs.Most of these threats involve emailboard members and CISOs alike are rightfully worried

29、about them.Not only is email the No.1 threat vector for all forms of cyber attack,but it is also the area with most scope for human error.No email protection is 100%failsafe.Some threats will reach the inbox;when they do,your people form the last line of defense.Just one errant click,rushed reply,or

30、 malicious download can have severe consequences for your organization.What,if anything,do you perceive to be the biggest cybersecurity threats within your organization/industry in the next 12 months?(Pick up to three)CYBERSECURITY:THE 2022 BOARD PERSPECTIVE7Assessing preparedness Most board members

31、 are aware of the risk of cyber attacks in the near future.But how has this translated into preparedness?CISOs and board members are aligned herebut the news is not exactly cause for celebration.Forty-seven percent of all board members believe that their organization is unprepared for a cyber attack

32、,and about the same amount of CISOs agree.The alignment between board members and CISOs is relatively positive news,but their level of preparedness is of greater concern.Are only half of the worlds organizations really prepared for a material cyber attack?If so,what are they doing that the other hal

33、f is not?And are they focusing on resilience or just protection?Are they actively and regularly training all users on what to do both to prevent and respond in the case of an incident?These are all certainly possible.But if anything,it seems more likely that they are underestimating todays sophistic

34、ated threats.They are likely focused primarily on protective measures,not ready to respond properly in the event of an attack.They may even have deemed the cyber attacks as“cost of doing business,”without fully understanding either the risk or the impact to the bottom line.This misplaced sense of co

35、nfidence continues when it comes to data loss.Overall,three-quarters of surveyed board members believe that their organizations data is adequately protected.Those in the U.S.(88%),Spain(88%)and Brazil(86%)are the most confident.On the other hand,most also consider data loss a top concern,suggesting

36、somewhat less faith in their data protection and recovery capabilities.Many also see data protection as an area in need of bolstering,with 75%of board members citing information protection and data governance as a top priority.Those in Brazil(92%),Japan(86%)and France(84%)agree with this sentiment t

37、he most.8 out of 12 surveyed countries consider Cloud Account Compromise one of the top 3 risks,with Germany(50%)and Japan(38%)rating it the highest.Ransomware attacks are the top concern for board members in Canada.9 out of 12 surveyed countries consider email fraud/BEC one of the biggest three ris

38、ks,with Spain(54%),Mexico(54%)and the U.K.(52%)leading the way.Supply chain attacks are the top concern for board members in France and Singapore.Email fraud is the top concern for board members at organizations across retail,IT/tech/telecom,education,healthcare,media/leisure and public sector.For t

39、hose in financial services,manufacturing and energy/oil/gas,cloud account compromise tops the list.The transport sector is by far most concerned about supply chain attacks.Analyzing the data by country and industry highlights the differences in board members perception of the biggest cybersecurity t

40、hreats.U.K.58%Singapore62%Japan72%How prepared do board members feel they are to cope with a targeted cyberattack in the next 12 months?Top 3 Countries Least PreparedCISOs feel least prepared in Australia,U.K.and Germany.Board members in the education sector feel the least prepared(62%).Those in ene

41、rgy/oil/gas and transport(both 23%)feel most prepared.CYBERSECURITY:THE 2022 BOARD PERSPECTIVE8Counting the consequencesBoard members were mixed when asked about the consequences of most concern.When asked about their greatest concerns in the event of a cyber incident,they ranked internal data becom

42、ing public(37%),reputational damage(34%)and loss in revenue(33%)at the top.Board members top concerns clearly reflected their focus on their broader oversight and fiduciary responsibility for the entire organization.While these are undoubtedly valid concerns,they are not the same as those cited by C

43、ISOs in our earlier report.As outlined in Voice of the CISO,significant downtime is the number one concern of CISOs(37%),followed by disruption to operations and impact on business valuation(36%).Operational downtime hits revenue streams and customers in direct and immediate ways.Despite some overco

44、nfidence in how prepared their organizations are for a potential cyber attack,board members are under no such illusions when assessing their biggest risk factor:human error.Two-thirds(67%)believe human error is their biggest cyber vulnerability.That this is most keenly felt in traditionally stricter

45、 corporate cultures such as Germany(80%),France(78%)and Japan(74%)shows just how aware the worlds boards are about the role of people in cybersecurity.Controls,perimeter defenses and technology alone are not enough.With 82%of successful cyber attacks involving the human element2,our people are on th

46、e front lineand boards must protect them accordingly.Statistics show that most cyber attacks happen because of some type of human error.That means making sure people throughout the organization,including board members,know what to watch for and what to do should they encounter a questionable email,l

47、ink or website.Board members have both a personal and professional role to play.They,too,can be targets of cyber criminals who want to get into companies.Board members also have an oversight role to play as they evaluate the plans CISOs put forth to manage this problem.believe human error is the big

48、gest cyber vulnerability.67%Internal data becoming public Reputational damage Loss in revenue 37%34%33%Top concerns of board members in the event of a cyber incident.Around the world,the U.K.,Canada,France and Singapore view the impact of a material cyber attack on their organizations reputation as

49、the most pressing concern.In Italy and Spain,loss in revenue is the most pressing concern.Significant downtime is top of mind for those in Germany and Australia.Internal data becoming public was the top concern for board members at IT/tech/telecom,healthcare,manufacturing,media/leisure and public se

50、ctor organizations.Significant downtime is of most concern to transport and retail,while disruption to operations worries financial services,business and professional and energy/oil/gas.Spotlight on:The people problem2 Verizon.“2022 Data Breach Investigations Report.”May 2022.CYBERSECURITY:THE 2022

51、BOARD PERSPECTIVE9“Board Directors have not only realized the importance of cyber risk,but are spending more time with their CISOs recognizing the risk posture and more importantly,understanding the incident response plan.”Julie Cullivan,Board DirectorThis difference of opinion,of course,comes from

52、the different perspectives each role brings to the organization.CISOs primarily see their role as keeping attacks from disrupting the business and as enabling the business to continue to function despite cyber attacks.At public organizations,however,board members represent shareholders.They are most

53、 concerned with protecting the value of their investments,which can decline when the organization suffers in reputational damage or lost revenue.Remarkably,the board members concerns varied by country and industry.On the regulations front,a resounding majority of board members(80%)believe that organ

54、izations should be required to report a material cyber incident to the government within a reasonable timeframe.Just 6%disagree.This is a stark contrast to conventional wisdom that reporting is more detrimental to reputation,potential fines and litigation than holding off.The finding suggests that b

55、oards are now much more willing to work together with regulators.Boards in Brazil(92%),the U.K.(90%)and the U.S.(86%)feel this most keenly.Agreement is at its lowest in Australia(50%).Almost 9 in 10(88%)respondents whose organization is privately owned agree with reporting requirements compared with

56、 more than 7 in 10(71%)whose organization is publicly owned.Board members at organizations in the media/leisure(88%),IT/tech/telecom(87%)and manufacturing(85%)sectors were most supportive of a reporting requirement.The least supportive are energy/oil/gas/utilities(58%).CYBERSECURITY:THE 2022 BOARD P

57、ERSPECTIVE10Section 2:Cybersecurity posture and the boardroom Despite a level of misplaced confidence,board members are at least aware of the risks posed by cyber threats.Most also understand the pivotal role that their people play in these threats achieving success.Many also appear to recognize the

58、 systemic impact of cyber(third party risk,supply chain and people),with 75%agreeing they have such an understanding.But while it is tempting to take this finding at face value,there is likely more here than meets the eye.Board members may indeed understand systemic risk in that they know what it en

59、tails.But their views on the impact of cyber threats on their organizations suggest they dont fully appreciate its consequences.Systemic risk has the potential to cause such widespread damage that private information becoming public and reputational impact would likely be the least of the boards con

60、cerns.Should an attack happen,getting the organization back into operation quickly and effectively would likely take precedence.Canada(56%)and Australia(54%)are the least confident.Brazil(88%),Spain(88%)and the U.K.(84%)are most confident in their boards understanding of systemic risk.We found a sim

61、ilar level of confidence in budget levels.A clear majority(76%)of board members feel that their organization has made adequate investments in cybersecurity.The interesting follow up for this question is how the respondents define“adequate investments.”Board members likely feel that their organizatio

62、ns investment is adequate because they have not experienced a cyber incident.Any cyber defense is good enoughuntil the moment it isnt.The conventional approach is to invest in multiple layers of protection under the misguided assumption that the more layers of protection in place,the better.“Adequat

63、e investment”could imply that protections are in place,but that detection,recovery and response may still be lacking.Or it could mean that organizations have invested in technologies but fall short in organizational protections such as training and awareness.Regardless,a continued feeling of adequat

64、e investment will require increasing investment over time to ensure new vulnerabilities and threats are properly managed,and resilience continues to be a high priority.BrazilU.K.JapanSpainGermanySingaporeFranceAustraliaU.S.ItalyMexicoCanada92%84%82%82%78%78%72%72%70%70%70%64%Global 76%Percentage of

65、board members who agree that their organization has adequately invested in cybersecurity.CYBERSECURITY:THE 2022 BOARD PERSPECTIVE11Board members feel strongly that their companies have adequately prepared employees in ways that increase cybersecurity.Just over three-quarters(76%)of board members rep

66、orted that they believe employees understand their role in protecting their organization against cyber threats.This is surprisingly high,given much evidence to the contrary.Our research has repeatedly found that most users do not know what is expected of them in a breach.And only 57%of organizations

67、 run company-wide security awareness training programs3.Keeping cybersecurity on the agenda When pitted against rapidly evolving and increasingly sophisticated threats,cybersecurity is never simple.Protections must be adapted to the threats of the day,and the organization must continually educate,mo

68、tivate and reward their people for their role in keeping things secure.The good news is most board members reported keeping the issue of cyber defense regularly on the agenda.Of those surveyed,76%said they discuss security matters at least once a month.This is encouraging.But given the daily barrage

69、 of threats facing most organizations,it may not be enough.The greater concern is the 24%of businesses failing to discuss this important topic on a regular basis.When a board takes notice and makes cybersecurity a priority,there is a trickle-down effect throughout your organization.Every level of th

70、e organization begins to make security a priority,and that builds and strengthens a culture of cybersecurity.A stronger culture builds a hardier defense against cyber threats.Privately owned companies are more likely(82%)than publicly owned companies(70%)to discuss cybersecurity matters at least onc

71、e a month.Board members in Brazil(92%),the U.K.(82%)and Germany(80%)are most in agreement that employees understand their role in protecting the organization against cyber threats.Once a monthOnce every 2 to 3weeksOnce a weekEvery boardmeetingOnce every twomonthsOnce every 3 to 5monthsOther25%21%16%

72、13%13%8%4%How often does your board discuss cybersecurity matters?Privately owned companies are more likely(82%)than publicly owned companies(70%)to discuss cybersecurity matters at least once a month.Similarly,most(77%)board members believe cybersecurity is a top priority for their board.While the

73、voice of cybersecurity has been growing louder in the boardroom for some time now,this figure is auspiciously high.The frequent cybersecurity events of the past few years,especially the large number that have made headlines,have put pressure on executives and dramatically highlighted cybersecuritys

74、critical role in protecting organizations and keeping them operating.It is encouraging to see this urgency being reflected at the board level.Board members in Spain(88%),Brazil(84%)and the U.K.(84%)reported the highest level of agreement that cybersecurity is a top priority.At the other end of the s

75、cale,just 58%of Australias board members agreed with this statement.The overall percentage tracks with the finding that nearly three-quarters of survey respondents sit on boards where at least one member has cybersecurity expertise.Organizations that prioritize cybersecurity are also likely to suppo

76、rt that commitment with cybersecurity expertise in the boardroom.3 Proofpoint.“2022 State of the Phish Report.”February 2022.76%discuss security matters at least once a month(including 1%more often than once a week)CYBERSECURITY:THE 2022 BOARD PERSPECTIVE12SpainBrazilU.K.MexicoU.S.GermanyJapanItalyS

77、ingaporeFranceCanadaAustralia88%84%84%82%80%80%78%76%72%70%66%58%Global 77%Percentage of board members who agree that cybersecurity is a priority for their boardIn further good news,almost three-quarters of boards have received some form of training on how to respond to a cyber incident.Still,it bea

78、rs repeating that this is of little use if that training is not carried out on a regular basis.Security best practice is like muscle memory.It must be forged over time through repetition so that it can be reliably called upon when required.The more it is exercised,the stronger the muscle.Globally,73

79、%of boards have at least one member with cybersecurity experience.The U.S.and Canada are least likely to have at least one board member with cybersecurity experience.Both were reported at 62%.Boards in Brazil(90%),the U.K.(84%)and Germany(82%)are the most likely to have at least one member with cybe

80、rsecurity experience.A considerable majority(87%)of board members expect their cybersecurity budget to increase over the next 12 months,while just 5%expect a decrease.The U.S.(98%),Germany(96%),Spain(94%)and Brazil(94%)have the highest levels of expectation,while it is at its lowest in Australia(66%

81、),where 22%also expect budgets to go down.Because most respondents feel their organizations have adequately invested in cybersecurity,this finding suggests that board members know that they cannot sit still.The threat landscape is constantly evolving and cyber defenses must follow suit.Spotlight on:

82、BudgetBoard members in the manufacturing(96%),IT/tech/telecoms(92%)and business/professional(91%)sectors are most likely to expect an increase in their cybersecurity budgets.Public sector and energy/oil/gas/utilities(73%)are the least expectant.ManufacturingIT/tech/telecomsBusiness/professional96%92

83、%91%CYBERSECURITY:THE 2022 BOARD PERSPECTIVE13Section 3:Examining the CISOs relationship with the boardroom With cybersecurity now front-page news,the role of the CISO has taken on greater prominence in most organizations.Ninety percent of board members responded that they have a CISO in their organ

84、ization.Where once boards perceived their CISO to have limited remitdefend against cyberattacksthe role is now rightfully regarded by many as more of an enabler to uninterrupted mission-critical operations.That recognition,in turn,has elevated this role from security infrastructure overseer to busin

85、ess partner.More surprising,however,is that 10%of businesses of size do not have a dedicated CISO overseeing cyber strategy.The respondents in this study were all from organizations with more than 5,000 employeesevery one of them should have a cybersecurity leader.Board-CISO relations Interaction be

86、tween CISOs and their board appears to be an area for attention and improvement.Just half of board members regularly interact with their CISO;around a third say they see the CISO only when the latter is presenting to the board.While 73%say these presentations occur regularly,this may not be enough.B

87、ringing the CISO into the boardroom on a regular basis,and not just for presentations,shows that cybersecurity is a priority of the board.As addressed earlier in this report,board priorities have a trickledown effect on the entire organization.Board members can show their commitment to keeping the o

88、rganization secure with greater interaction with their CISOs.Board meeting reports and presentations are just the beginning.Ask questions of your CISO.Follow up on headlines or news reports of breaches in other organizations with questions about how that type of breach might happen in your organizat

89、ion.Find other ways to personally support the CISO and the mission.These efforts will increase the likelihood that the rest of the organization makes cybersecurity a day-to-day priority.Board members and CISOs do not always see things the same way.While over two-thirds(69%)of board members say that

90、they see eye-to-eye with their CISOs,just 51%of CISOs feel the same way.Underpinning this disconnect could be the finding that only 67%of board members believe they understand cybersecurity matters well enough to have an informed discussion with their CISO.Or it could be related to the unique focus

91、of each role(as mentioned earlier in this report).Often,CISOs report on statistics about security protection that are too technical or not focused on the business metrics that matter most to board members.100%of respondents in Mexico said their company has a CISO,followed by 98%in Brazil,the U.S.,Si

92、ngapore and Spain.The lowest level of CISO representation on the board is in Australia(70%).Regular CISO interaction with the board is highest in Italy(67%),Germany(59%)and the U.K.(55%).It is lowest in Mexico(26%).“A clear message stands out for CISOs.While their cyber technical expertise is highly

93、 valued,the board also greatly values the CISOs ability to translate their technical aptitude into a risk management context and conversation.”Bob Zukis,Founder&CEO,Digital Directors NetworkCYBERSECURITY:THE 2022 BOARD PERSPECTIVE14Board members in Germany(89%),the U.K.(83%)and Spain(76%)see eye-to-

94、eye with their CISOs the most.Relations are at their lowest in Brazil(57%).Global 69%Global 51%GermanyU.K.SpainItalyMexicoU.S.FranceAustraliaJapanCanadaSingaporeBrazil89%83%76%74%74%69%67%63%61%60%59%57%48%65%40%34%50%64%58%52%85%44%BoardCISON/A*N/A*Percentage of board members and CISOs who agree th

95、at they see eye-to-eye with each otherBoth board members and CISOs can help close this gap.Boards must take steps to keep cybersecurity on the agenda.The CISO,meanwhile,must deliver concerns and recommendations in a business-first-manner.For example,board members are less interested in threat detect

96、ion metrics than in how threat detection can affect revenues and reduce business risk.CISOs should avoid jargon and overly technical language and instead speak the language of the board and the business.Then they will be seen as business partners who understand the broader impact of their work and r

97、espected colleagues of their executive peers.*Brazil and Mexico were not surveyed in the 2022 Voice of the CISO report.“The board and CISO relationship is entering a new phase and has never been more important.The rapidly evolving cyber risk environment and proposed regulations are transforming boar

98、droom cybersecurity expertise.As a result,the role of the CISO is evolving away from technical specialist to business executive who can understand where business value is coming from and articulate to the board how to protect it.”Betsy Wille,Director,The Cybersecurity Studio(former Abbott CISO)CYBER

99、SECURITY:THE 2022 BOARD PERSPECTIVE15What do boards expect of their CISO?The traits most desired of the CISO by their boards differ depending on location and industry.But in general,board members reported that they most value cybersecurity experience(49%),technical expertise(44%)and risk management(

100、38%).These findings suggest a heavy focus on protection over resilience.Technical expertise is,of course,an essential requirement when making technology purchasing decisions.But when it comes to keeping an organization operational in the face of a cyber attack,CISOs also require a broader understand

101、ing of business management.Elevating board member expectations of the CISO will help build more meaningful,business-focused relationships.Communication skills are seen as most valuable for CISOs in Japan and Australia.5 out of 12 surveyed countries consider technical expertise to be the most valuabl

102、e skill in a CISO,with Spain(56%)and the U.K.(54%)rating it the highest.5 out of 12 countries consider cybersecurity experience to be the most valuable skill in a CISO,with the U.S.(64%)and Brazil(62%)leading the way.Cybersecurity experience is the most desired CISO skill for board members at organi

103、zations across IT/tech/telecom,education,financial services,manufacturing,media/leisure,business/professional and transport.CYBERSECURITY:THE 2022 BOARD PERSPECTIVE16Conclusion:Actionable Insights for Board Members Only two-thirds of board members believe their organization is at risk of a material

104、cyber attack,and even less than that believe the risk is very likely.Board members in most countries had markedly different perceptions of cyber risk than their CISOs,indicating a large opportunity for discussion between these two very important players in an organizations cybersecurity leadership.T

105、hese conversations must take place regularly and in the language of business,rather than the tech jargon of security.Board members top concerns around the source and impact of cyber attacks indicate an understanding of the high risk that human error plays in creating vulnerabilities for their organi

106、zation.The CISO and other operational leaders have the ultimate responsibility to put programs and culture in place to drive the behaviors of their employees.But board members have two roles to play here,too.One is as a member of the organizationboard members must personally adhere to the organizati

107、ons protocols around minimizing human risk.But the second is as a role model.The more the board makes cybersecurity a priority,the more other leaders will do the same.That trickles down throughout the organization.See it as an opportunity to supercharge the cybersecurity culture and change the dialo

108、gue from something the security team must do to something everyone must do.Every single person plays a part in keeping the organization secure.Board members also can improve their organizations defensive posture by keeping cybersecurity front and center on their agenda.They can help their CISOs beco

109、me business partners instead of security infrastructure overseers.Here are just a few key ways the board can help improve their organizations security strategy for both protection and resilience:Elevate cybersecurity to an agenda item every time the board meets.Placing this on the board agenda will

110、keep it a high priority item with needed regular visibility.Create a customized board dashboard of relevant metrics to show areas of success and areas in need of improvement.The ability to regularly view important business and cyber metrics will help board members understand the trends their organiz

111、ation experiences as well as see progress from cyber investments over time.Build cybersecurity muscle so everyone knows how to protect from and respond to an incident.Board members want to understand their role in the event of an incident,and conducting regular table top exercises will teach them ho

112、w to respond.Regularly interact with cybersecurity leadership to build stronger relationships between the board and cyber leaders.The more familiar they become,the more likely they will begin to see eye-to-eye and align their priorities around the most important cybersecurity decisions.After all,kee

113、ping the lights on is everyones priority and board members just want to ensure that cybersecurity risk is properly managed so their organization is resilient to any attacks that come their way.“Making security a high priority helps drive the conversation forwardbut those conversations will have limi

114、ted success if the board members and their CISOs dont speak the same language or share the same goals.A better alignment of the two sides around priorities will go a long way in improving their organizations protection and resilience.Boards must find opportunities to forge strategic partnerships wit

115、h their CISOs to work collaboratively toward their common goals of minimizing their organizations risks and increasing their organizations cyber resiliency.”Dr.Keri Pearlson,Executive Director,Cybersecurity at MIT Sloan(CAMS)CYBERSECURITY:THE 2022 BOARD PERSPECTIVE17Methodology The Proofpoint Cybers

116、ecurity:The 2022 Board Perspective survey was conducted by research firm Censuswide between August 11 and August 22,2022.It surveyed 600 board directors from organizations of 5,000 employees or more across different industries in 12 countries.50 board directors were interviewed in each market,which

117、included the U.S.,Canada,U.K.,France,Germany,Italy,Spain,Australia,Singapore,Japan,Brazil and Mexico.3,941 board directors were invited to participate in the survey,resulting in a response rate of 15%.The data was analyzed by the Proofpoint resident CISO team.The data was also reviewed and this repo

118、rt coauthored by researchers from the Cybersecurity at MIT Sloan(CAMS)research consortium.The results,insights and implications are the opinion of the authors based on the data analysis.Censuswide complies with the MRS Code of Conduct and ESOMAR principles.IT,technology,and telecomsManufacturingand

119、productionFinancialservicesRetailHealthcareMedia,leisure,andentertainmentBusiness andprofessionalservicesPublic sectorEnergy,oil/gas,and utilitiesEducationTransportOther26%16%13%8%7%7%6%6%4%4%2%2%Within which primary sector is your organization?U.K.CanadaFranceGermanyItalySpainSingaporeJapanBrazilMe

120、xicoUSAAustralia34%66%34%62%36%44%50%64%16%74%40%58%66%34%66%38%64%56%50%36%84%26%60%42%Publicly ownedPrivately ownedIs your organization publicly or privately owned?ABOUT PROOFPOINTProofpoint,Inc.is a leading cybersecurity and compliance company that protects organizations greatest assets and bigge

121、st risks:their people.With an integrated suite of cloud-based solutions,Proofpoint helps companies around the world stop targeted threats,safeguard their data,and make their users more resilient against cyber attacks.Leading organizations of all sizes,including 75 percent of the Fortune 100,rely on

122、Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email,the cloud,social media,and the web.More information is available at .Proofpoint,Inc.Proofpoint is a trademark of Proofpoint,Inc.in the United States and other countries.All other trademarks contained herein are property of their respective owners.P LEARN MOREFor more information,visit .0401-003-01-01 09/22