How Oversight Impacts Enterprise Level Cybersecurity

A new report examines the benefits being realized by higher-level cyber scrutiny.

Soc

Diligent Institute and Bitsight recently unveiled a report entitled Cybersecurity, Audit, and the Board, with the goal of gaining deeper insight into board practices regarding cybersecurity oversight, and the impact they have on organizations. Some of the key findings included:

  • Companies with advanced security ratings, based on a formula utilized throughout the report, create nearly four times the amount of value for shareholders as companies with basic security ratings. On average, the Total Shareholders’ Return (TSR) over three and five years for companies in the advanced security performance range is approximately 372 percent and 91 percent higher than their peers in the basic security performance range.
  • Companies with a specialized risk or audit committee had, on average, higher security performance ratings.
  • The security ratings among companies with specialized risk and audit committees tends to skew towards the advanced security performance range, whereas companies lacking either of these committees tend to skew towards the basic security performance range.
  • Having a cybersecurity expert on the board is not enough. Integrating a cybersecurity expert into the board committee tasked with cybersecurity risk oversight makes a significant difference in an organization’s performance. Companies with cybersecurity experts on either audit committees or specialized risk committees achieve an average security performance rating of 700, whereas companies with cybersecurity experts but not on either committee attain a security rating of 580.
  • The percentage of companies with cyber experts on the board remains significantly low. Only five percent of companies within the sample had cyber experts on their boards.
  • Of the companies with advanced-level security performance ratings, nearly a quarter (24 percent) of companies with basic security performance ratings came from the industrials sector.   
  • 26 percent of industrial and critical infrastructure companies reside in the advanced security performance range.

A full copy of the report is available here.

More in Cybersecurity