Boardrooms have a reputation for not paying much attention to cybersecurity, but it could be that executives are finally keen to take more interest in securing the systems and networks their businesses rely on.
Senior figures from American, British and Australian cybersecurity agencies have said that business execs are now more aware of cyber threats and are actively engaging with their chief information security officer (CISO) and information security teams.
Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC), said that, in a "massive leap in trust," many organisations are actively seeking out advice to help inform boardrooms about cybersecurity issues.
SEE: A winning strategy for cybersecurity (ZDNet special report)
"Today boards say, 'Can you come and brief our board, and can you stay while the CISO's briefing the board? And can you please give us a view about the quality of our controls and our estimation of risk?', which is hugely transparent," she said, speaking at the UK National Cyber Security Centre's (NCSC) Cyber UK conference in Newport, Wales
"I see that as well, it feels as if it's really maturing," said Lindy Cameron, CEO of the NCSC. "We've been trying really hard over the last few months to get organisations to step up but not panic, do the things we've asked them to for a long time and take it more seriously".
The NCSC regularly issues advice to organisations on how to improve and manage cybersecurity issues, ranging from ransomware threats to potential nation state-backed cyberattacks – and Cameron said she's seen a more hands-on approach to cybersecurity from business leaders in recent months.
"I've seen chief execs really asking their CISOs the right questions, rather than leaving them to it because they don't have to understand complex technology. It does feel like a much more engaging strategic conversation," she said.
But there can still be a disconnect between knowing what needs to happen, then actually budgeting for and implementing a cybersecurity strategy.
"I think everybody in this room knows what we need to do to do the basics of cybersecurity. And often the challenge is the culture and the resources; the will to say, 'This is the thing that we have to do and we're going to endure the pain to get there'," said Rob Joyce, director of cybersecurity at the National Security Agency (NSA).
He pointed to multi-factor authentication (MFA), something which is generally regarded as a key step that businesses can take to boost cybersecurity, providing an extra barrier to hackers trying to use phished, leaked or stolen usernames and passwords. However, rolling MFA out to all users of a network can be a challenge.
"We have a long journey ahead on multi-factor authentication, there's nobody who thinks that's a bad idea – but it's a real investment, a real pain to implement it," said Joyce.
Nonetheless, the NSA director believes progress is being made, especially after the White House signed an executive order around cybersecurity for critical infrastructure and has committed to a zero-trust security model for federal agencies.
While these proposals only relate directly to critical infrastructure and government respectively, following the cybersecurity strategies could be useful to many organisations in other sectors outside of government and industry.
"The narrative has shifted at a political level, at the board level, at the industry level, who are now getting together and saying, 'We know where we must go, let's resource everyone to get there'," said Joyce.
And while most businesses will be expected to take control of implementing and updating a cybersecurity strategy themselves, governments and cybersecurity agencies are there to provide advice and guidance – and that's something that the ACSC's Bradshaw hopes that companies continue to take advantage of during their cybersecurity journeys.
"What they're looking for is evidence of an ongoing relationship and collaboration between my agency and their CISO and senior execs. That is something I'm extremely grateful for and I think bodes well for the evolution that's necessary over the next decade," she said.
MORE ON CYBERSECURITY
- Bosses think that security is taken care of: CISOs aren't so sure
- Ransomware is a national security threat, so please tell us about attacks, says government
- Cybersecurity: Many managers just don't want to understand the risks
- Ransomware: Five questions you need to ask about your defences, before you get attacked
- The stakes 'could not be any higher': CISA chief talks about the tech challenges ahead