In today’s corporate environment, where companies are combating threats from all directions in addition to complying with new cybersecurity regulatory requirements, guidance and frameworks, cyber risk management is no longer solely the “tech team’s responsibility.” Executives and boards of directors are waking up to the fact that everyone must contribute to protecting companies’ most valuable assets. They must treat cyber risk as they do other operational risks or else they may be the next data breach victim making headlines.
We have seen this shift during our own experiences working with enterprises but now we have new statistics to prove it. According to our recently released report, How Boards of Directors Really Feel About Cyber Security Reports, 89 percent of board members say they are very involved in making cyber risk decisions and 74 percent say cyber risk information is reported to them weekly. The report is based on a survey conducted by the third-party research firm Osterman Research of 125 enterprise executives that serve on the boards of directors of enterprises to get their thoughts on what they think about the information they receive from IT and security professionals.
The findings show that board members want to play an active part in reducing companies’ cyber risk and are making cyber risk the top priority outweighing other risks, such as financial, legal, regulatory, and competitive risks. They are holding IT and security executives accountable for presenting helpful cyber risk data with more than half (59 percent) of board members saying IT and security executives will lose their jobs for failing to report understandable and actionable information. The stakes are higher than ever before for truthful, traceable and measurable cyber risk reporting, a change that is helping companies improve their cyber risk posture because cyber risk reduction begins at the top.
Overall, the outcome of the report is positive, yet the data also shows more progress is needed. This is reflected in some contradictory responses. For example, while 70 percent of board members say they understand everything they are being told by IT and security executives, more than half (54 percent) agree or strongly agree the data presented is too technical. Also, more than three in five board members say they are significantly or very “satisfied” and “inspired” after a presentation by IT and security executives yet a majority (85 percent) say IT and security executives need to improve the way they report to the board. Those kinds of contradictions demonstrate a difference in maturity levels among board members regarding how well they understand cyber risk. While at first they may think they understand everything being reported to them, they may later realize that they do not know what to do with the cyber risk information.
There’s also a conflict of interest. Board members rely on IT and security executives, the same individuals who they are holding accountable to present useful data, to educate them about cyber risk. In many cases, IT and security executives have taught board members everything they know about cyber risk, which creates an inherent bias. The industry needs an objective, standard model for cyber risk management. That’s the best way to eliminate the bias and get both parties – the board and IT and security executives – on the same page.
However, even though the teacher is the student, we still noticed some major differentiations between how the board and IT and security executives view cyber risk reporting. In February 2016, Osterman Research unveiled a report titled, Reporting to the Board: Where CISOs and the Board are Missing the Mark, which is based on a survey asking IT and security executives about how they report information to the board. When comparing the two reports, a couple statistics stand out. While an overwhelming majority of board members (97 percent) say they know exactly what to do or have a good idea of what to do with the information presented by IT and security executives, only 40 percent of IT and security executives believe the information they provide to the board is actionable. And, although 70 percent of board members surveyed say they understand everything they’re being told by IT and security executives in their presentations, only one third of IT and security executives believe the board comprehends the cybersecurity information provided to them.
The differences show a disconnect exists between how IT and security executives and the board communicate with each other, a conclusion that isn’t new or surprising. IT and security executives mostly come from a technical background. They are accustomed to approaching cybersecurity from a vulnerability, firewall, zero day perspective versus board members who are accustomed to a risk-based approach that centers around how much damage can be done if an asset were compromised.
The board and IT and security executives need to get on the same page and speak the same language, which is the language of risk. IT and security executives must view themselves and be viewed as risk professionals. If a chief financial officer walked into a board meeting with incomplete or inaccurate data that is too complex to understand, he most likely would lose his job. The same applies to chief information security officers. They need to focus on asset value and impact to the business. Boards understand this language and are accustomed to it from other domains. What are the threats and associated vulnerabilities surrounding the company’s most valued assets? How much damage would be done if those assets were compromised? What already has been done since the last meeting to better secure those assets? What still needs to be done? They should work from the top down, presenting the top risks impacting the business, with the top being the intersection between the most likely and the most impactful to the business. It’s important to paint a picture for the board that highlights the past, present and future state of the company’s cyber risk, including lessons learned, goals and progress to the goal.
The good news is that, as our board report indicates, companies are headed in the right direction with the board more actively involved than ever before. That’s a significant improvement from where most companies were just a few years ago.
About the Author: Ryan Stolte has spent more than 20 years of his career solving big data problems with analytics. Starting in the early days of the web, his first user behavior analytics challenges were to find innovative ways to recommend products to end-users and drive sales on e-commerce sites. With the proliferation of the connected enterprise, his attention turned to new analytics challenges with internal IT, cloud, and cybersecurity initiatives. With two decades of experience in user behavior analytics, a portfolio of analytics patents, and an unparalleled leadership team, Ryan is focused on finding innovative ways to provide smart cybersecurity solutions for the enterprise. Ryan co-founded Bay Dynamics, a cyber risk analytics company, in 2001.