Risks Confronting Boards 2016 - Cybersecurity

March 20, 2017


While succession planning seems to have ousted it from the top position, cybersecurity continues to rank, particularly for private and public companies, as one of the most concerning risks.

Out of the 12 methods that have been employed to address cybersecurity risks, almost all hovered around the 40-50% range of implementation across the board. Yet, directors continue to feel the methods being employed are not sufficient to protect their organization against a cyber-attack.

In response to an open-ended question as to which areas an organization should improve its oversight and/or management of cybersecurity risks, the majority of directors wanted to see all of the 12 methods (listed in the following graphic) employed.

What methods have been employed to address cybersecurity risks?


Public boards show the highest figures in terms of implementing a range of defenses to combat cybersecurity risks.

More than half of the directors indicated their organization employed nearly all the methods listed. (Cybersecurity assessments of third parties, information classification and protection and inventory of unauthorized and authorized devices were the least popular.) The public companies represented were taking advantage of a greater number of methods than private or not-for-profit organizations.

This initial statistic shows promise. But the overwhelming sentiment of public board directors was all areas need to be improved when responding to the areas in which their organizations should improve its oversight and/or management of cybersecurity risks. One respondent declared, "I just think in today's world, a director (especially at a smaller company) will always be concerned about whether enough is being done in this area."


As discussed, cybersecurity risk is the number one concern for private companies, drawing more attention than for public boards, which also have cybersecurity as the top concern. Private board directors understand cybersecurity is their top ranking risk; however, they have no confidence in the risk's management or in the organization's ability to combat an attack.

Cybersecurity audits and cybersecurity assessments of third parties are employed far less by private organizations than public.


Not-for-profits demonstrate the lowest employment of any methods to address cybersecurity risks. This is logical considering it was not ranked highly as a risk. Though, as indicated earlier in the report, not-for-profit boards find cybersecurity to be the overall most challenging risk to effectively oversee.

Some may cite the size/revenue of not-for-profits as an explanation for the lack of cybersecurity defense mechanisms. However, our survey pool of not-for-profit directors represent organizations in the billion-dollar range (and, on average, greater revenues than the surveyed private organizations.) It could be that greater monitoring of/available reporting on not-for-profit financials has influenced salaries and other critical spending. For the sake of a not-for-profit's reputation, revenues should be used to serve their constituency and mission, not on overhead.

The least commonly used approaches to address cybersecurity for not-for-profits include cybersecurity assessments of third parties, malware defenses and inventory of unauthorized and authorized devices. The lowest percentage – inventory of unauthorized and authorized devices at 8% – could be the easiest to employ/track and could be one of the most effective ways to avoid (basic) cyber attacks.

Concerns About Risks Confronting Boards - 2016 Survey Results

Have Questions or Comments?

If you have any questions, we'd like to hear from you.