The Cyentia Institute used in-depth surveys and interviews with corporate board members and CISOs to identify specific cyber risk issues resonating in boardrooms.
More talk of “guidance” than “protection”
CISOs report they spend most of their boardroom time “giving security guidance” on business enablement and loss avoidance. Surprisingly, CISO respondents reported they spend far less time discussing “data protection” and “brand protection,” despite widespread coverage of how breaches affect intellectual property and trust.
Boards want a “helicopter view” of cyber risk
Board members were five times as likely to cite “risk posture” as a key security metric compared to CISOs and 13 times as likely to say the same about “peer benchmarking” – showing boardrooms’ greater concern for the “big picture.”
Board members prefer this helicopter view of the cyber battlefield, versus CISOs’ day-to-day view of threats and trends more analogous to driving tanks through the mud.
Assumptions rule the world
Board members report being inundated with security data and often assume CISOs armed with this data have things under control. One CISO was told, “We do not understand everything you are telling us, but we have a lot of confidence you are doing the right thing.” This refrain underscores a lingering divide between how security teams inform boards on issues impacting the bottom line.
“Pending legislation, shareholder pressure, and media attention are all pushing board members to take responsibility for their organizations’ cybersecurity. As this happens, it’s important to understand the questions that board members are asking and measure whether CISOs are providing the answers,” said Dr. Wade Baker, the lead researcher on the report, done in cooperation with Focal Point Data Risk.