“The Risky Six: Key questions to expose gaps in board understanding of organizational cyber resiliency”
The Institute of Internal Auditors (IIA) and Ernst & Young LLP (EY) release a joint report, “The Risky Six: Key questions to expose gaps in board understanding of organizational cyber resiliency.”
Practitioners and researchers from The IIA and EY conducted extensive analysis to determine the root cause of how and why boards get a skewed picture of their organizations’ ability to protect themselves from cyber-related risks. The team, which collectively has more than 100 years of experience managing cybersecurity risks within organizations in all industries, identified six key questions that if unanswered likely mean a disconnect exists.
Key data pointing to widespread disconnects from boards — rooted in the team’s deep experience in the field, as well as cutting-edge research from The IIA and EY — include the following:
- 60% of organizations do not have a head of cybersecurity who sits on the board or at executive management level.
- 59% of organizations say that the relationship between cybersecurity and the lines of business is at best neutral, to mistrustful or nonexistent.
- 20% of boards are extremely confident that the cybersecurity risks and mitigation measures presented to them can protect the organization from major cyber-attacks.
- 36% of organizations say cybersecurity is involved right from the planning stage of a new business initiative.
Organizations working toward a collective “yes” for the six questions provide a narrative that is well received by stakeholders inside and outside the organization. It highlights the due care and diligence underway to battle cyber risk. However, the report also exposes how easily boards can develop false confidence if any of the six questions can’t be answered in the affirmative.