The security program within an organization represents one of the most important concerns for the board of directors. That is why, many companies IT department are involved for reporting to members of the board of directors the cyber security activity. With the cyber threats becoming more technically advanced, data breaches increased over the last few years and the problem is not being solved soon. But many boards do not judge this program as crucial.
Board members are not focused on the most important information we might think…
According to a research made by Osterman Research Inc., commissioned by Bay Dynamics, and published in February 2016, many key findings show that things reported by the IT Department to the board of directors are not the most relevant one contrarily to what one might think. Indeed, the survey lead by Osterman Research Inc. shows that «IT and security executives tell the board what they want to hear, even though the information is often not actionable». Only two in five IT and security executives consider the information they report to the board is actionable.
Then, the survey displays that «81% of IT and security executives employ manually compiled spreadsheets to report data to the board». By compiling data manually, some mistakes can be done and important data can be unobserved due to human factor.
Another aspect the survey points out is the fact that «board of directors prefer qualitative to quantitative information». More than 50% of respondents say that board members prefer qualitative information whereas 38% of them say that they prefer quantitative information.
Information reported to the board in terms of costs of cyber security program is not the most common type of information. 71% of board members prefer to have an insight about «known vulnerabilities within the organization systems», 67% of them prefer to have «recommendations on cyber security program improvements», and 66% of the members ask for «specific details on data loss incidents». Costs and expenditures for cyber security program are not the most reported.
The type of data affected is the most important for board members according to 84% of respondents. Board of directors want to know if the «data attacked was sensitive or confidential, such as (…) personal information, or corporate financial data».
Finally, 80% of respondents say that board of directors wants to have a report about major data breaches, but «more than a third report they do not know all of the data breaches that occurred in 2015», while they report that kind of issue weekly or more frequent
Issues About Cyber security Information Reported to the Board
Percentage Responding Agree or Strongly Agree
Source: Osterman Research, Inc.
A large proportion of respondents report that "they know what the board wants to hear and are providing them with this information, which is often not actionable"
But what exactly the board want to hear?
The proportion of board members that want to know in details initiatives and problems, reported by IT and security executives, is not large as we might think. Indeed, 75% of respondents «believe their boards want reports with understandable language that does not require them to be cyber security experts. Slightly more than one-half of these executives believe that their boards want detailed information about how information is being secured today and where improvements are needed».
Cyber Security Information Desired by the Board
Percentage Reporting a Desire or Strong Desire
Source: Osterman Research, Inc.
This figure points out several issues regarding what information the board members want to have about cyber security. A large proportion of respondents report that «they know what the board wants to hear and are providing them with this information, which is often not actionable».
To conclude, this survey put the emphasis on an important aspect that board of directors take lightly: the cyber security within the organization. This survey shows that «IT and executives security more or less regularly report information to the board members about cyber threats and cyber security incidents», but this points out that the «board of directors is not doing its job when it comes to effectively managing cyber risk». This is a duty for the board to request more detailed reports in order to have more accurate and actionable information for implementing an effective cyber security program.
Reporting to the Board: Where CISOs and the Board are Missing the Mark – An Osterman Research Survey Report – February 2016 – Commissioned by Bay Dynamics.
published on 2017/18/10