Boards are struggling to understand the value of cyber security, and the government needs to step in to help them appreciate its necessity.
This message came from a panel of experts speaking at today's Cyber Security Forum 2011.
Sir David Omand, a former director of the government's spy agency GCHQ (Government Communications Headquarters), explained his hope that the government's upcoming cyber security strategy would help understanding at board level.
"At least a quarter of boards don't understand the question – there is a serious under-appreciation of the gravity of the issue," said Omand.
"We need behavioural changes, and that only comes from a compelling narrative. The government's security strategy should provide that."
He drew a parallel with the way in which rising car crime was tackled 20 years ago.
"In the 90s, the home office was getting concerned about rising vehicle crime, so the insurance industry was persuaded to offer substantial discounts if you had a good alarm.
"So people started asking for these alarms and car manufacturers responded quickly. We need to find the cyber equivalent."
Another former GCHQ director, Sir Kevin Tebbit, said cyber security doesn't provide a measurable return on investment.
"Boards have a great deal of difficulty in coping with the risk. One board spends £40m securing themselves, and one spends nothing – and you can't measure which one is succeeding. So how does the board show value to its shareholders?"
The government's cyber security strategy was due to be released this month, but has been delayed indefinitely.