There is mismatch between what is actually going on in security and what the board of directors hears, according to the “Reporting to the Board: Where CISOs and the Board Are Missing the Mark” report out today.
The report is sponsored by Bay Dynamics and is based on surveys of 136 senior IT professionals, with a combined total of more than 3 million employees.
From a reporting perspective, 40 percent said that information they provide to the board is actionable. Yet despite that fact, only a third of the surveyed IT executives actually believe that their organization’s board understands the cyber-security information they are given. When it comes to the actual impact of conversations between IT professionals and corporate boards, only 37 percent agreed with the statement that organizational risk is reduced as a result of their conversations and reports to the board.
Steven Grossman, vice president of program management at Bay Dynamics, found a number of eye-opening points in the report.
“One statistic shows that cyber-security reporting has caught up to where finance and sales reporting was in the nineties,” Grossman told eWEEK.
He noted that during that in the 1990s, finance and sales reporting data was collected from operational data sources and analytics, but strategic and executive reporting data was predominantly compiled manually using spreadsheets. Bay Dynamics’ report revealed that 81 percent of IT and security executives use manually compiled spreadsheets to report data to the board.
“That statistic is mind boggling considering we are in 2016, especially when you look at the advances made in most other reporting and analytics domains,” Grossman said. “Cobbling together board reporting data manually can lead to subjective data massaging.”
Grossman added that by manually using spreadsheets instead of a more advanced approach, there can also be a false sense of security that hides serious deficiencies from both the IT and security executives and in turn the board. Those deficiencies could come from intentional manipulation or human error, but in either case, Grossman said that it leads to incorrect reporting and oversight of important data.
The report also highlights an information disconnect between what the corporate boards wants and what IT professionals communicate.
“The report … shows that while three quarters of respondents believe the board prefers quantifiable information, less than half said they actually provide it,” Grossman said.
Grossman suggests that IT and security executives report a combination of quantitative and qualitative information—providing quantitative metrics wrapped by qualitative context. For example, instead of simply presenting a quantitative list of all of the vulnerabilities found within the organization’s environment, IT professional should highlight only the ones that could directly lead to a compromise of the company’s most valuable information. The high-impact issues should also be accompanied by an explanation of what needs to be done to minimize those vulnerabilities.
“Metrics need context; they should not just be a list of metrics for the sake of providing metrics,” Grossman said.
Multiple studies in recent years have pointed out the increasing importance of having good communication between IT security and board-level executives. A 2015 study sponsored by Veracode and NYSE (New York Stock Exchange) Governance Services reported that 35 percent of organizations said that security is a topic at every board meeting. Yet, despite the awareness of cyber-security, there is still a disconnect.
“Both cyber-security executives and boards are well behind the curve in both the level of knowledge of the typical board member and the executive’s ability to provide a consistent and meaningful story with the data,” Grossman said. “Boards of directors need to do a better job of holding security executives responsible for providing accurate, traceable and actionable information.”
That said, Grossman emphasized that boards should be held accountable for asking the right questions to properly understand their organization’s cyber-security posture.
Technology can also play a role, which is a domain where Bay Dynamics has a platform. Bay Dynamics’s own cyber-risk program is managed using the company’s Risk Fabric platform, according to Grossman. The Risk Fabric platform combines user and entity behavior analytics with situational awareness and can generate automated board-ready reports that reflect the organization’s cyber-risk posture.
“On the technology side, user and entity behavior analytics software should be at the core of organizations’ cyber-risk programs,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.