CISOs say they spend far less time discussing data protection and brand protection with the board, and spend more time giving security guidance on business enablement and loss avoidance—despite widespread coverage of how breaches affect intellectual property and trust.
That’s the word from Focal Point Data Risk’s Cyber Balance Sheet Report, which examines the roles of boardroom members and CISOs in managing cyber-risk.
“For years, pundits have been saying 'cyber needs to be a boardroom issue,' but the Cyber Balance Sheet Report replaces this sound bite with the most illuminating look yet at where cyber issues are making headway with boards or falling off the table,” said Yong-Gon Chon, CEO of Focal Point. “The report reveals important indicators around cyber-awareness at the top levels of governance. We have evolved from cybersecurity being a component of IT performance to becoming an issue that prompts broader questions about protecting valuable company data. Yet, as the report discloses, it’s the nature of these questions and how CISOs respond that determines how far oversight and accountability still have to evolve.”
It uncovered that board members are five times as likely to cite “risk posture” as a key security metric compared to CISOs, and 13 times as likely to say the same about peer benchmarking—showing boardrooms’ affinity for the big picture.
Board members also report being inundated with security data and often assume CISOs—armed with data—have things under control. One CISO was told, "We do not understand everything you are telling us, but we have a lot of confidence you are doing the right thing."
Boards want a helicopter view of the cyber battlefield, in other words, versus CISOs’ day-to-day view of threats and trends—which is more analogous to driving tanks through the mud.
“Pending legislation, shareholder pressure and media attention are all pushing board members to take responsibility for their organizations’ cybersecurity,” said Wade Baker, co-founder of the Cyentia Institute, which conducted the study. “As this happens, it’s important to understand the questions that board members are asking and measure whether CISOs are providing the answers,” said Baker, the lead researcher on the report.