As cybersecurity and data breaches are increasingly in the public eye, board members are in turn giving the eye to their security staff. New research has revealed that more than half of all IT and security executives will lose their jobs as a result of failing to provide useful, actionable information to the executive team.
The report, from Osterman Research, found that the board is indeed paying attention: 89% of board members said they are very involved in making cyber-risk decisions. And, cyber-risks were the highest priority for 26% of board members surveyed, while other risks such as financial, legal, regulatory and competitive risks had the “highest priority” scores no higher than 16 to 22%.
In fact, more than three in five board members say they are both significantly or very “satisfied” and “inspired” after the typical presentation from IT and security executives about the company’s cyber-risk.
However, the down side is this: Awareness doesn’t mean that they fully understand what that risk entails, and they place the blame for that squarely on the security staff’s shoulders for that. The majority (85%) believe that IT and security executives need to improve the way they report to the board.
For one thing, there’s confusion regarding how cyber-risk information is collected: Half of board member respondents believe IT and security executives use manually compiled spreadsheets to report cyber-security data. In actuality, 81% of IT and security executives report they employ manually compiled spreadsheets to report data to the board.
The board also believes that cyber-risk information is actionable. An overwhelming majority of board members (97%) say they know exactly what to do or have a good idea of what to do with the information they are presented by IT and security executives. But, only 40% of IT and security executives feel the same.
And perhaps the biggest indication of a communications breakdown: Although 70% of board members surveyed said they understand everything they’re being told by IT and security executives in their presentations, only one third of IT and security executives believe the board comprehends the cybersecurity information provided to them.
“Companies are headed in the right direction when it comes to managing their cyber risk. As our latest report shows, the board is engaged and holding IT and security executives accountable for reducing risk,” said Ryan Stolte, CTO at Bay Dynamics, which sponsored the report. “However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbook and making decisions based on the same set of requirements.”
Photo © Everett Historical