How CIOs Should Convey Cyber-Risks to the Board
-
How CIOs Should Convey Cyber-Risks to the Board
Board of directors expect less technical and more actionable information from IT and security executives in order to assess how cyber-risk is being addressed. -
Board Members Involved in Security
89% of board members say they are very involved in making cyber-risk decisions, indicating that the analysis and communication of security metrics by IT and security executives is critically important to cyber-risk reduction. -
Inactionable Security Information Means Job Risk
59% of board members say one or more IT security executives will lose their jobs if they don’t provide useful, actionable information. 34% said they would warn that improvement is necessary. -
Cyber Risk in the Spotlight
26% of board members say cyber-risk is the highest priority, whereas other risks—financial, legal, regulatory and competitive—are the highest priority for up to 22% of respondents. -
What Data Really Is Actionable?
Although 97% of board members say they know exactly what to do, or have a good idea of what to do, with data reported by security and risk organizations, two out of five board members don't believe risk decreases because of input from IT and security. -
Data Is Too Technical
Even though 70% of board members say they understand everything IT and security executives say, 54% agree, or strongly agree, that data presented to them is too technical. -
Board Satisfaction After Presentations
65% board members are significantly or very satisfied and inspired after IT and security executives' presentations about the company's cyber-risk. -
But Presentations Need to Improve
85% of board members believe IT and security executives should improve the way they report to the board. -
Top Three Items the Board Wants
The top three items boards want from IT and security executives are: Clearly worded reports that do not require board members to be cyber-experts. Quantitative information about cyber-risks. Progress that has been and is being made to address the company's cyber-risk. -
Boards Favor Consistency
Boards demand consistency to measure an organization, but cyber-risk lacks a standard. They want an anchor so they can assess how cyber-risk is being managed. -
What IT and Security Executives Can Do
Providing consistency in how security data is compiled—in a traceable and transparent manner—helps the board assess unbiased metrics to leverage and hold IT and security executives accountable.
Half of IT and security executives risk losing their jobs if they fail to provide useful, actionable information to their company's board, according to a recent study. The report, "How Boards of Directors Really Feel About Cyber Security Reports," also reveals a disconnect between what the board perceives as actionable information and what IT and security executives define as data that can be used to make informed decisions. "Part of the problem is that board members are being educated about cyber-risk by the same people (IT and security executives) tasked to measure and reduce it," says Ryan Stolte, CTO at cyber-risk analytics company Bay Dynamics, which commissioned the study. "Companies need an objective, industry-standard model for measuring cyber-risk so that everyone is following the same playbook and making decisions on the same set of requirements." Osterman Research conducted the study in April. Its 125 respondents are C-level executives, senior executives, vice presidents, or directors/senior directors on either the board of directors of their company, or on the board of another company.