How CIOs Should Convey Cyber-Risks to the Board
Board of directors expect less technical and more actionable information from IT and security executives in order to assess how cyber-risk is being addressed.
89% of board members say they are very involved in making cyber-risk decisions, indicating that the analysis and communication of security metrics by IT and security executives is critically important to cyber-risk reduction.
59% of board members say one or more IT security executives will lose their jobs if they don’t provide useful, actionable information. 34% said they would warn that improvement is necessary.
26% of board members say cyber-risk is the highest priority, whereas other risks—financial, legal, regulatory and competitive—are the highest priority for up to 22% of respondents.
Although 97% of board members say they know exactly what to do, or have a good idea of what to do, with data reported by security and risk organizations, two out of five board members don’t believe risk decreases because of input from IT and security.
Even though 70% of board members say they understand everything IT and security executives say, 54% agree, or strongly agree, that data presented to them is too technical.
65% board members are significantly or very satisfied and inspired after IT and security executives’ presentations about the company’s cyber-risk.
85% of board members believe IT and security executives should improve the way they report to the board.
The top three items boards want from IT and security executives are: Clearly worded reports that do not require board members to be cyber-experts. Quantitative information about cyber-risks. Progress that has been and is being made to address the company’s cyber-risk.
Boards demand consistency to measure an organization, but cyber-risk lacks a standard. They want an anchor so they can assess how cyber-risk is being managed.
Providing consistency in how security data is compiled—in a traceable and transparent manner—helps the board assess unbiased metrics to leverage and hold IT and security executives accountable.