IT security executives tell boards what they want to hear
A new report reveals that just four out of 10 IT and security executives feel the information they provide to the board of directors is actionable and that they often tell them what they want to hear.
The report from threat intelligence company Bay Dynamics also shows that only 39 percent believe they are getting the help they need from the board to address cyber security threats.
Based on a study conducted by Osterman Research among IT and security executives in 136 US companies, the report shows manual reporting methods still dominate. Manually compiled spreadsheets are used to report data to the board by 81 percent, a process which can lead to incorrect reporting and oversight of important data, whether due to intentional manipulation or to human error.
Boards have a strong preference for qualitative information, according to 53 percent of respondents, with 38 percent saying their boards prefer quantitative information.
"The report reveals that both the board and security professionals are not doing their jobs when it comes to security reporting," says Feris Rifai, co-founder and CEO at Bay Dynamics. "The board isn't holding IT and security executives accountable for providing accurate, traceable and actionable information and security executives are failing to report information that is accurate, traceable and actionable. Both parties must do better if they want to make the right decisions that minimize their cyber risk".
Among other findings are that the most common type of information reported about cyber security issues is known vulnerabilities within the organizational systems, followed by recommendations on cyber security program improvements and specific details on data loss incidents. Information about the cost of cyber security programs and details about expenditures on specific projects or controls are not as commonly reported.
The most common criteria used to determine which type of intrusion to report is the type of data affected -- cited by 84 percent of respondents. This includes whether the data breached or attacked was sensitive or confidential, such as customers’ financial data or personal information, or corporate financial data.
"Security is now everyone's problem -- from the IT team to the C-suite and the boardroom. As a result, reporting the right type of information with the right context, in addition to making it actionable, has never been more critical," says Michael Osterman, Principal Analyst at Osterman Research. "It is imperative that security executives reconsider how they’re getting their information, the type of information they're reporting, and how they’re reporting it, so that the board can effectively take action to make smart security decisions".
The full report is available to download from the Bay Dynamics website.