Helping Boards Understand Cybersecurity

Understand CybersecurityAccording to recent Harvard research, cybersecurity is one of the greatest challenges corporate boards face, and yet it is the area in which they consider themselves least prepared to manage.[i] However, Cybersecurity is a significant and growing issue for enterprises. Gartner estimates that spending on information security reached $81.6 billion in 2016;[ii] and in the five years ending in 2021, analysts expect spending on cybersecurity to top the $1 trillion mark.[iii] Furthermore, the cost of a data breach continues to increase; the most recent reports indicate a 5.3% year-over-year increase.[iv] Not surprisingly – Fortune 1000 companies tend to be the hardest hit by cyber attackers, most likely because their IT systems contain the assets most prized by attackers.[v] Fortunately, there is help for boards to understand cybersecurity.

Traditionally, boards concern themselves only with the highest-level matters of corporate governance – including fiduciary oversight, selecting the CEO, enhancing the organization’s public image, and organizational continuity – which necessarily touches on the high-level management of risks and resources. Consider for a moment that the average Fortune 1000 company’s market cap is 2.83 times its book value.[vi] Analysts argue that the difference between market cap and book value may serve as a proxy for the organization’s cyber assets value. In other words, the average Fortune 1000 organization’s cyber assets are one to two times as valuable as all its other assets combined. Board members need a way to understand cybersecurity to function in their role entirely.

Understand Cybersecurity with ThreatModelerTM

Even though overseeing the organization’s cyber risk profile and threat portfolio falls within the purview of the board, only 34% of directors consider themselves ready to deal with cybersecurity issues effectively. The most often stated reason is a lack of subject matter expertise personally and for the board as a whole.

The good news, however, is that directors may understand cybersecurity – at least as it impacts the organization’s risk profile – without any particular security subject matter expertise if that understanding is supported by a mature, enterprise threat modeling practice. With ThreatModelerTM the subject matter experts contribute to the automated threat modeling process in several ways at an operational, boots-on-the-ground level. As the threat modeling process is allowed to scale across the entire DevOps initiative portfolio, the CISO, senior executives, and board members have access to high-level reports that may be easily understood on a financial or strategic basis.

The high-level outputs available with a mature threat modeling practice include:

  • The ability to quantify the strength of the organization’s existing compensating controls relative to the organization’s unique attacker population;
  • Objectively measurable results of any cybersecurity initiative that can be tracked over time; and
  • A rolling top-ten list of the most significant threats facing the organization and the potential technological and business impacts associated with those treats.

While few – if any – board members want to get into the weeds of the organization’s day-to-day cybersecurity issues, directors of Fortune 1000 companies are increasingly aware that the organization’s cyber risk profile is a board-level concern. With the high-level reporting capacity of ThreatModelerTM, senior executives and directors do not need security subject matter expertise to appreciate or understand cybersecurity issues relating to their organization.

Contact us to learn more about the high-level

reporting capabilities of ThreatModelerTM.


[i] Cheng, J. Yo-Jud and Boris Groysberg. “Why Boards Aren’t Dealing with Cybertreats.” Harvard Business Review. Harvard Business Publishing: Boston. February 22, 2017. https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats?es_p=3758018

[ii] Moore, Susan. “Gartner Says Worldwide Information Security Spending Will Grow 7.9 Percent to Reach $81.6 Billion in 2016.” Gartner Press Release. Gartner: Stamford. August 9, 2016. http://www.gartner.com/newsroom/id/3404817

[iii] Morgan, Steve. “Cybersecurity Spending Outlook: $1 Trillion from 2017 to 2021.” Cybersecurity Business Report. CSO Online. IDG:Boston. June 15, 2016. http://www.csoonline.com/article/3083798/security/cybersecurity-spending-outlook-1-trillion-from-2017-to-2021.html

[iv] Ponemon, Larry. “2016 Ponemon Institute Cost of a Data Breach Study.” SecurityIntelligence. IBM: Armonk, North Castle. June 16, 2016. https://securityintelligence.com/media/2016-cost-data-breach-study/

[v] Sheridan, Kelly. “Fortune 1000 Companies See Security Ratings Drop.” Dark Reading. UMB Tech: San Francisco. March 8, 2017. http://www.darkreading.com/risk/fortune-1000-companies-see-security-ratings-drop/d/d-id/1328346?_mc=NL_DR_EDT_DR_weekly_20170309&cid=NL_DR_EDT_DR_weekly_20170309&elqTrackId=e9991c77cca0414fbf7cb0a461cf900f&elq=b9f2c9bdf3bc438cbcf3eed7d8f25683&elqaid=77217&elqat=1&elqCampaignId=25841

[vi] “Russel U.S. Indexes 2016 Reconstitution Analysis.” London Stock Exchange Group: London. June 10, 2016. http://www.ftserussell.com/files/support-documents/russell-1000-prelimary-report-2016