How CIOs Should Convey Cyber-Risks to the Board

Karen A. Frenkel Avatar

Updated on:

How CIOs Should Convey Cyber-Risks to the Board

How CIOs Should Convey Cyber-Risks to the BoardHow CIOs Should Convey Cyber-Risks to the Board

Board of directors expect less technical and more actionable information from IT and security executives in order to assess how cyber-risk is being addressed.

Board Members Involved in SecurityBoard Members Involved in Security

89% of board members say they are very involved in making cyber-risk decisions, indicating that the analysis and communication of security metrics by IT and security executives is critically important to cyber-risk reduction.

Inactionable Security Information Means Job RiskInactionable Security Information Means Job Risk

59% of board members say one or more IT security executives will lose their jobs if they don’t provide useful, actionable information. 34% said they would warn that improvement is necessary.

Cyber Risk in the SpotlightCyber Risk in the Spotlight

26% of board members say cyber-risk is the highest priority, whereas other risks—financial, legal, regulatory and competitive—are the highest priority for up to 22% of respondents.

What Data Really Is Actionable?What Data Really Is Actionable?

Although 97% of board members say they know exactly what to do, or have a good idea of what to do, with data reported by security and risk organizations, two out of five board members don’t believe risk decreases because of input from IT and security.

Data Is Too TechnicalData Is Too Technical

Even though 70% of board members say they understand everything IT and security executives say, 54% agree, or strongly agree, that data presented to them is too technical.

Board Satisfaction After PresentationsBoard Satisfaction After Presentations

65% board members are significantly or very satisfied and inspired after IT and security executives’ presentations about the company’s cyber-risk.

But Presentations Need to ImproveBut Presentations Need to Improve

85% of board members believe IT and security executives should improve the way they report to the board.

Top Three Items the Board WantsTop Three Items the Board Wants

The top three items boards want from IT and security executives are: Clearly worded reports that do not require board members to be cyber-experts. Quantitative information about cyber-risks. Progress that has been and is being made to address the company’s cyber-risk.

Boards Favor ConsistencyBoards Favor Consistency

Boards demand consistency to measure an organization, but cyber-risk lacks a standard. They want an anchor so they can assess how cyber-risk is being managed.

What IT and Security Executives Can DoWhat IT and Security Executives Can Do

Providing consistency in how security data is compiled—in a traceable and transparent manner—helps the board assess unbiased metrics to leverage and hold IT and security executives accountable.

Karen A. Frenkel Avatar