A number of IT and security executives are on the cusp of losing their jobs because they aren't supplying essential information and reports to the board.
Boards on Alert
89% of board members surveyed said they are very involved in making cyber-risk decisions.
Growing Priority
Cyber-risks were the highest priority for 26% of the board members surveyed, topping areas such as financial, legal and regulatory.
Questioning Compensation
70% of the board members said they understand everything they're being told by IT and security executives in their presentations, yet half think the data is too technical.
Important Improvements
64% are "satisfied" or "inspired" after a presentation from IT and security executives about the company's cyber-risk, but 85% said these execs need to improve the way they report to the board.
Sounding the Warning
34% of board members said they would provide warnings to IT and security executives that improvements in reporting would need to be made.
Taking Action
59% of board members said that one or more IT security executives will lose their job as a result of failing to provide useful, actionable information.
It's About Time
74% of board members said that reporting takes place weekly, 23% said it occurs monthly, 2% quarterly and 1% less than quarterly.
Conflicting Reponses
97% of the board members said they know exactly what to do—or have a good idea of what to do—with the information. But a December 2015 survey found that only 40% of IT and security executives think the information they provide to the board is actionable.
What Board Members Want
Reports with understandable language. Quantitative information about cyber-risks. Data that shows progress
Report's Most Valuable Items
Complete list of vulnerabilities in the company. Details on data loss. Downtime caused by data breach incidents
Room for Improvement
85% of the respondents said that IT and security executives need to improve the way they report to the board.
Traceable and Transparent
By providing consistency in the way security data is compiled—in a traceable, transparent manner—the board can access unbiased metrics and can hold IT and security executives accountable.
Over the past few years, as cyber-security has emerged as a critical business issue, corporate boards have become increasingly involved in enterprise security matters. Today, many directors seek accurate and actionable information about risks, threats and breaches. However, a recently released report, "How Boards of Directors Really Feel About Cyber Security Reports," paints a somewhat pessimistic picture of the current state of affairs. It reveals that a number of IT and security executives are on the cusp of losing their jobs because they aren't supplying essential information and necessary reports to organizational leaders. Yet, it also points out that board members said they understand what they're being told by security experts, though many also said that the data presented to them is too technical. Here's a look at some of the key findings conducted from an Osterman Research and Bay Dynamics survey of 125 enterprise executives who actively serve on a board of directors and view reports about cyber-security.
This article was originally published on 2016-07-15
Samuel Greengard writes about business and technology for Baseline, CIO Insight and other publications. His most recent book is The Internet of Things (MIT Press, 2015).
