By Feris Rifai, CEO and co-founder, Bay Dynamics
Whether security is a major concern or a differentiator for an organization, depends highly on how it is managed. More importantly, how a company’s security stance is reported and how the board leverages those security insights is central to discerning whether security controls are a benefit or just another ineffective cost to the line of business.
With the constant barrage of breaches in the last few years, security has become a top-of-mind issue for boards across all industries. As such, they want to continue being briefed on their businesses’ security posture. To assess the effectiveness of this important aspect of security, Bay Dynamics is unveiling a new report looking into the reporting process. Unfortunately, but not surprisingly, the results were bleak— revealing inadequacies in how reporting to the board is being done today.
The report, titled “Reporting to the Board: Where CISOs and the Board are Missing the Mark,” is based on a survey conducted by Osterman Research. The survey was distributed to IT and security executives of 136 companies with more than 2,000 employees within the U.S. that are involved in and responsible for reporting to their organization’s board.
The report reveals that the majority of IT and security execs tell the board what they want to hear although the information is often not actionable. Two-thirds of those surveyed agree or strongly agree that they know what to present to the board, however, only two in five IT and security executives agree or strongly agree that the information they provide to the board contains actionable information. As a result, only 29 percent of respondents believe they get the support they need from their boards.
The report also breaks down what kind of data IT and security execs are reporting. More than half (53 percent) indicate their boards prefer qualitative data with only 38 percent saying the same for quantitative data. But the fact is that in order to make effective business decisions, the board needs quantitative data within context (qualitative data). In other words, IT and security execs should be reporting both qualitative and quantitative data.
Also interesting to note is the pervasiveness of manual methods within the reporting process, which can create the perfect recipe for botched reporting. According to the survey, 81 percent of respondents employ manually compiled spreadsheets for reports, providing IT and security execs plenty of opportunity to unintentionally or intentionally skew reports.
Those are just some of the highlights from the report. To read it in its entirety visit: http://baydynamics.com/resources/reporting-to-the-board-where-cisos-and-the-board-are-missing-the-mark
Ultimately, it is clear that the security reporting process is broken and the onus lies on both IT and security execs and the board to fix it. In order for the board to better manage cyber risk, they need to hold their IT and security execs accountable for providing accurate, traceable and actionable information. On their end, IT and security execs need to ensure they leverage quantitative and qualitative data that lends context for decisions in a digestible fashion while also making sure that data can be put into action.