A new report reveals that more than half of board members say IT and security executives will lose their jobs as a result of failing to provide useful, actionable information.
The report titled, "How Boards of Directors Really Feel about Cyber Security Reports," also highlights significant contradictions such as while the majority (70 percent) of board members say they understand everything they're being told by IT and security executives in their presentations, more than half believe the data presented is too technical.
The report is based on a nationwide survey, conducted by the third party research firm Osterman Research, of 125 enterprise executives that actively serve on a board of directors and receive reports about companies' cyber security programs. Some of the additional findings include:
- The board is paying attention: 89 percent of board members said they are very involved in making cyber risk decisions.
- Cyber risks outweigh other risks: Cyber risks were the highest priority for 26 percent of board members surveyed, while other risks such as financial, legal, regulatory and competitive risks had the "highest priority" scores no higher than 16 to 22 percent.
- There's room for reporting improvements: Although more than three in five board members say they are both significantly or very "satisfied" and "inspired" after the typical presentation from IT and security executives about the company's cyber risk, the majority (85 percent) believe that IT and security executives need to improve the way they report to the board.
The board report complements another report released by Bay Dynamics in February 2016 titled "Reporting to the Board: Where CISOs and the Board are Missing the Mark" which is based on a survey conducted by Osterman Research asking IT and security executives about how they report information to the board. Highlights of comparable data from both reports include:
- The board says cyber risk information is actionable. IT and security executives say otherwise: While an overwhelming majority of board members (97 percent) say they know exactly what to do or have a good idea of what to do with the information they are presented by IT and security executives, only 40 percent of IT and security executives believe the information they provide to the board is actionable.
- Board members say they understand, but IT and security executives don't believe they do: Although 70 percent of board members surveyed said they understand everything they're being told by IT and security executives in their presentations, only one third of IT and security executives believe the board comprehends the cyber security information provided to them.
- There's confusion regarding how cyber risk information is collected: Half of board member respondents believe IT and security executives use manually compiled spreadsheets to report cyber security data to the board. When in actuality, 81 percent of IT and security executives report they employ manually compiled spreadsheets to report data to the board.
"Companies are headed in the right direction when it comes to managing their cyber risk. As our latest report shows, the board is engaged and holding IT and security executives accountable for reducing risk," says Ryan Stolte, Chief Technology Officer at Bay Dynamics. "However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbook and making decisions based on the same set of requirements."