Connect with us

Hi, what are you looking for?


Management & Strategy

CISOs Risk Getting Fired Over Poor Reporting

Board members are paying attention to the cyber risk information reported to them and many say that cybersecurity executives could lose their jobs if they fail to provide useful, actionable information, a recent survey from Bay Dynamics reveals.

Board members are paying attention to the cyber risk information reported to them and many say that cybersecurity executives could lose their jobs if they fail to provide useful, actionable information, a recent survey from Bay Dynamics reveals.

According to the study, 89% of board members surveyed said they are very involved in making cyber risk decisions, while 74% of them said the cyber risk information is provided to them weekly. However, they also say that IT and security executives should be held accountable for presenting quality reports, with 59% of respondents saying security executives will lose their jobs as a result of failing to provide useful, actionable information.

The survey also found that 70% of board members say they understand what IT and security executives tell them in their presentations, but more than half believe the data presented is too technical. 26% of respondents say that cyber risk has the highest priority, while financial, legal, regulatory and competitive risks had scores of 16 to 22 percent.

Based on a nationwide survey conducted by research firm Osterman Research among 125 enterprise executives who actively serve on a board of directors, the report also reveals that there is room for reporting improvements. More than 60% respondents say they are very satisfied and with the typical presentation from IT and security executives, 85 percent believe that IT and security executives need to improve the way they report to the board.

Dubbed “How Boards of Directors Really Feel about Cyber Security Reports,” the study (PDF) complements a February report from Bay Dynamics, titled “Reporting to the Board: Where CISOs and the Board are Missing the Mark” and meant to discover how IT and security executives feel about their information reports presented to the board.

While 97% of board members say they have a good idea of what to do with the information IT and security executives present to them, only 40 percent of security executives believe that information is actionable. While 70% of board members say they understand what they are being told, only around 30 percent of IT and security executives believe the board comprehends the information provided to them.

Moreover, while half of board member respondents believe IT and security executives use manually compiled spreadsheets to report cyber security data to the board, 81 percent of the responding IT and security executives admitted to using manually compiled spreadsheets to report data to the board.

Advertisement. Scroll to continue reading.

“Companies are headed in the right direction when it comes to managing their cyber risk. As our latest report shows, the board is engaged and holding IT and security executives accountable for reducing risk,” Ryan Stolte, Chief Technology Officer at Bay Dynamics, said. “However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbook and making decisions based on the same set of requirements.”

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem