This sentiment already abounds. Rather, it was that a Gartner survey discovered that 40% of American boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member by 2025. The number today is less than 10%. So yes, this is progress. But it really isn’t particularly impressive, and that is the real point. Just look at what is going on. More than 80% of U.S. companies have been successfully hacked, according to Duke University. Only a few months into 2021, cyber breaches have already buffeted the likes of Facebook, Instagram, LinkedIn, Microsoft, U.S. Cellular, Kroger, Hobby Lobby, Cancer Treatment Centers of America, and the California Department of Motor Vehicles. While a number of useful countermeasures are being taken across the board, progress remains relatively slow in the face of borderline existential threats. Not so long ago, companies thought of cybersecurity as a technology problem to be overseen by the chief security officer (CSO) or the chief information officer (CIO), or as a compliance issue to be managed with audit functions. Today, thankfully, a more holistic, proactive and analytical approach is generally taken. There is more security training and better hygiene and most boards now count a seasoned chief information security officer (CISO) as one of their directors. Nonetheless, recent surveys underscore that cybersecurity still isn’t where it needs to be in the boardroom. In its 2020 annual corporate director’s survey, for instance, PricewaterhouseCoopers found that less than a third of nearly 700 respondents said they understood their company’s cyber vulnerabilities particularly well. In a similar vein, a study by Trend Micro, security software provider, found that only 23% of organizations polled said they aligned security with key business initiatives, typically a priority among corporations with the highest-regarded cybersecurity programs. In addition, 44% of respondents said that their board of directors had only limited involvement in many critical cybersecurity operations, suggesting that many boards are only prepared to fund the minimum amount necessary. Perhaps corporations can do only so much given the belief that many hacks can be contained but not totally eradicated. The attack surface, after all, is gargantuan.


