The decisions that board level executives make on cyber security are very dependent on the quality of the reports they receive from front line management.
A new report from cyber risk analysis specialist Bay Dynamics, carried out in conjunction with Osterman Research, looks at how boards of directors see cyber security reports. Among its findings are that 59 per cent of board members say that one or more IT security executives will lose their job as a result of failing to provide useful, actionable information.
Cyber risks are a high priority among board members compared to other areas such as financial, legal, regulatory, and competitive risks. 89 per cent of board members say they are very involved in making cyber risk decisions and 74 per cent say cyber risk information is reported to them weekly.
The results call the usefulness of those reporst into question, however. Even though 70 per cent of board members surveyed report that they understand everything that they’re being told by IT and security executives in their presentations, more than half (54 per cent) agree or strongly agree that the data they're presented with is too technical.
Although more than three out of five board members say they are both significantly or very 'satisfied' (64 per cent) and 'inspired' (65 per cent) after the typical presentation by IT and security executives about the company's cyber risk, the majority (85 per cent) of board members believe that IT and security executives need to improve the way they report to the board.
The report's authors conclude, "Boards of directors are built on consistency and demand it to do their jobs. They’re accustomed to a consistent way of measuring an organisation. This new cyber risk challenge that they're presented with lacks a standard that they can anchor themselves on to know how they’re performing when it comes to managing cyber risk. This is critically important to solving this problem.
"By providing consistency in the way security data is compiled - in a traceable and transparent manner - then the board can access unbiased metrics to leverage and hold IT and security executives accountable".