By Christine Kern, contributing writer
Cyber risk reduction transcends identification by IT execs and must include clear communication.
More than half of IT and security executives will lose their jobs for failing to report understandable and actionable information to boards of directors, according to findings of a Bay Dynamics report. The report, How Boards of Directors Really Feel About Cyber Security Reports, is based on a survey conducted by the third party research firm Osterman Research of 125 enterprise executives that serve on the boards of directors of enterprises to get their thoughts on what they think about the information they receive from IT and security professionals.
According to the study authors, "Given the impact that a security breach can have on an organization, it's no surprise that 89 percent of board members said they are very involved in making cyber risk decisions. This statistic from our survey indicates that the analysis and communication of security metrics by IT and security executives to the board of directors is a critical component of the cyber risk reduction process."
The results demonstrate the need for clearer communication of cyber security risks and the presentation of actionable data that Board members can readily grasp and articulate. Eighty-nine percent of board members say they are very involved in making cyber risk decisions and 74 percent say cyber risk information is reported to them weekly. Additionally, Cyber risks were the highest priority among board members compared to other risks, such as financial, legal, regulatory, and competitive risks.
And although 70 percent of board members surveyed report that they understand everything they're being told by IT and security executives in their presentations, 54 percent agree or strongly agree the data presented is too technical.
Further, despite the fact 64 percent of board members say they are both significantly or very satisfied and inspired after the typical presentation by IT and security executives about the company's cyber risk, the majority (85 percent) of board members say there is much room for improvement in the way that IT and security executives report to the board.
This Board report also complements the findings of a February 2016 Bay Dynamics report, Reporting to the Board: Where CISOs and the Board are Missing the Mark," which is based on a survey conducted by Osterman Research asking IT and security executives about how they report information to the board. Together, the two reports presented comparable data, including the following:
- While the board says that cyber risk information is actionable, IT and security executives disagree. An overwhelming majority of board members (97 percent) say they know what to do with the information presented, while just 40 percent of IT and security executives say the information they provide is actionable.
- And while 70 percent of board members surveyed report understanding the reports from IT and security executives, only one-third of IT and security execs believe that the boards comprehend their presentations.
- There is also confusion over how cyber risk information is collected.
"Companies are headed in the right direction when it comes to managing their cyber risk. As our latest report shows, the board is engaged and holding IT and security executives accountable for reducing risk," says Ryan Stolte, Chief Technology Officer at Bay Dynamics. "However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbook and making decisions based on the same set of requirements."