Why Security Pros Should Provide Useful, Actionable Info to Top Brass

A majority of board directors and top execs said failing to give them useful cyber-risk information would likely lead to security professionals' dismissal.

actionable, useful security information

Providing the right type of security reports to company leaders and boards of directors is crucial and could also affect IT executives' careers, according to new research sponsored by Bay Dynamics.

More than half (59 percent) of board members indicated that one or more security executives would lose their jobs as a result of not providing useful and actionable information to the board, the report found. Additionally, 34 percent of respondents indicated that a warning would be given for a failure to provide the right information.

"[The board] would fire whomever is in charge of presenting cyber-risk reports," Ryan Stolte, co-founder and CTO at Bay Dynamics, told eWEEK. "Oftentimes, that person is the CISO. In some cases, the CIO or CTO reports to the board, which in that case, that person would lose his/her job."

In a report published by Bay Dynamics in February, the company surveyed senior IT professionals and found that 40 percent were providing information to the board that is actionable.

Of particular note about the new study, though, are multiple contradictions between responses about understanding about security reports. For example, the study found that 97 percent of respondents indicated that they know what to do with data reported by the security and risk organization. Yet, in response to a different survey question, 85 percent of respondents said that IT and security need to improve the way they report.

"There are major contradictions in board members' responses, which again shows a difference in maturity surrounding cyber-risk," Stolte said. "The 97 percent number also contradicts our previous survey asking IT and security executives what they think the board wants."

Board members may think the information they are getting is actionable, but then when actually trying to make sense of the information and putting it to use, they may realize that the information is too technical and needs clarification, Stolte said. He added that the contradictions show that cyber-risk reporting is still a work in progress on both sides.

Overall, the survey does seem to indicate that boards and IT and security executives are getting closer to fully understanding and executing cyber-risk management programs.

"As the survey indicates, the board is actively involved with 89 percent of board members saying they are very involved in making cyber-risk decisions," Stolte said.

Stolte said he was both surprised and pleased to see that cyber-risks topped the priority list for board members, surpassing other operational risks that in the past were the main focal point. According to the report, cyber-risks were the highest priority for 26 percent of board members surveyed, while other risks, such as financial, legal, regulatory and competitive risks, had the highest priority scores of 16 percent to 22 percent.
"This is a positive finding; it demonstrates the board really is paying attention to cyber-risk and giving it the same, if not more, attention than other risks to the business," Stolte said. "It also shows that cyber-security has come out of the 'techie' corner and it is no longer an isolated task that only the IT and security team manages."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.