How executives really feel about infosec reports

More than half of IT and security executives will lose their jobs as a result of failing to provide useful, actionable information. While the majority of board members say they understand everything they’re being told by IT and security executives in their presentations, more than half believe the data presented is too technical, according to Bay Dynamics.

The board is paying attention: 89 percent of board members said they are very involved in making cyber risk decisions.

“74 percent of board members say IT and security executives report to them weekly about the company’s cyber risk. They expect to receive reports on a regular, frequent basis. They also seek to have a better understanding of cyber risk information and if they do not understand and cannot action information being reported, the consequences are severe with 59 percent of board members saying IT and security executives will lose their jobs for poor reporting,” Steven Grossman, VP of Program Management at Bay Dynamics, told Help Net Security.

Cyber risks were the highest priority for 26 percent of board members surveyed, while other risks such as financial, legal, regulatory and competitive risks had the “highest priority” scores no higher than 16 to 22 percent.

A few years ago, these numbers would not have been the same, believes Grossman. “Cyber risk only recently got a seat at the boardroom table and even then, it wasn’t considered as seriously as it is today. Now board members want to see measurable, traceable and truthful information pertaining to the company’s cyber risk. They want to understand the information so that they can make educated investment decisions. A few years ago, inside many board rooms, the words “cyber risk” fell on deaf ears. They looked at cyber risk as a “techie” term without giving it much thought beyond that.”

70% of board members say they understand the security information that’s being presented to them, yet only a third of security executives believe that to be true. This is a huge gap.

“I think 70% is high, especially since 75% of IT and security executives believe the board doesn’t understand what’s being presented. I think there is still confusion surrounding what kind of information the board wants and what kind of information IT and security executives think they want. There’s also confusion surrounding what kind of information can lead to the most informed action. For example, in the report, board members say one of the most common types of data reported is a list of vulnerabilities within an organization. While a list of vulnerabilities may seem helpful, it’s not the most effective piece of information to help minimize cyber risk. Boards need to only understand vulnerabilities pertaining to their most valued assets and how those vulnerabilities either were fixed or need to be fixed. Without considering the value at risk, a list of vulnerabilities is relatively meaningless,” says Grossman.

We also need to consider who is educating the board about cyber risk and what it means, according to Grossman. “Board members are learning about cyber risk from the same people who they are holding accountable to minimize it. It’s like a student explaining to his teacher what he needs to include in his term paper in order to get an A. That’s a flawed model. The industry needs an objective standard model for reporting that both parties – the board and IT and security executives – can follow. That way both parties can be on the same page regarding what kind of information is needed to effectively reduce cyber risk.”

Half of board member respondents believe IT and security executives use manually compiled spreadsheets to report cyber security data to the board. When in actuality, 81 percent of IT and security executives report they employ manually compiled spreadsheets to report data to the board.

“Today’s CISO must be a true risk professional. He/she is no longer the tech expert who sits in a corner office. CISOs are expected to not only reduce cyber risk organization-wide but also teach the board and other C-level executives how to do so. They are increasingly being viewed as upper management. Their salaries, accountability and responsibilities reflect that. Those that cannot make that transition will not be around very long,” concluded Grossman.