CISOs Risk Getting Fired Over Poor Reporting

Board members are paying attention to the cyber risk information reported to them and many say that cybersecurity executives could lose their jobs if they fail to provide useful, actionable information, a recent survey from Bay Dynamics reveals.

According to the study, 89% of board members surveyed said they are very involved in making cyber risk decisions, while 74% of them said the cyber risk information is provided to them weekly. However, they also say that IT and security executives should be held accountable for presenting quality reports, with 59% of respondents saying security executives will lose their jobs as a result of failing to provide useful, actionable information.

The survey also found that 70% of board members say they understand what IT and security executives tell them in their presentations, but more than half believe the data presented is too technical. 26% of respondents say that cyber risk has the highest priority, while financial, legal, regulatory and competitive risks had scores of 16 to 22 percent.

Based on a nationwide survey conducted by research firm Osterman Research among 125 enterprise executives who actively serve on a board of directors, the report also reveals that there is room for reporting improvements. More than 60% respondents say they are very satisfied and with the typical presentation from IT and security executives, 85 percent believe that IT and security executives need to improve the way they report to the board.

Dubbed “How Boards of Directors Really Feel about Cyber Security Reports,” the study (PDF) complements a February report from Bay Dynamics, titled “Reporting to the Board: Where CISOs and the Board are Missing the Mark” and meant to discover how IT and security executives feel about their information reports presented to the board.

While 97% of board members say they have a good idea of what to do with the information IT and security executives present to them, only 40 percent of security executives believe that information is actionable. While 70% of board members say they understand what they are being told, only around 30 percent of IT and security executives believe the board comprehends the information provided to them.

Moreover, while half of board member respondents believe IT and security executives use manually compiled spreadsheets to report cyber security data to the board, 81 percent of the responding IT and security executives admitted to using manually compiled spreadsheets to report data to the board.

“Companies are headed in the right direction when it comes to managing their cyber risk. As our latest report shows, the board is engaged and holding IT and security executives accountable for reducing risk,” Ryan Stolte, Chief Technology Officer at Bay Dynamics, said. “However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbook and making decisions based on the same set of requirements.”