How Boards Really Feel About Cyber Security Reports

January 23, 2019  Colin Best

With the public eye narrowing in on cyber security issues, board members and information security professionals alike have been charged with not only protecting data that is valuable to their company and clients, but also with safeguarding an organization's reputation. These important duties all start with conversations in the board room. In this article, I would like to address three key data points from a recent  Osterman Research survey on how boards really feel about cyber security reporting. In the process, I hope to highlight the communication gap that we at  RiskLens have been working to bridge between security professionals and the board.

54% of board members agree that the information presented is too technical

Whether or not a board member has a security background, they must rely heavily on the information that is presented to them by their information security team. With new threats emerging just as fast as old ones are being mitigated, it is not surprising that many decisions about security expenditures have been pushed forward by fear, uncertainty, and doubt. Over half of all board members surveyed believe that the information they are shown is too technical. What is implicit is the need for a common language of communication. Cyber risk has become synonymous with business risk, and board member demands are centering around seeing cyber risk represented in the same way they see reports on other business risks, in dollars and cents.

85% of board members believe that IT security executives need to improve the way that they report

Boards want to be able to discuss the risks they are facing in a language that they can understand. The surveyed board members indicated that they wanted to see more quantitative results that can enable them to make business decisions based on financial numbers. Key stakeholders wanted to see the ROI of their budget expenditures so that they can evaluate past performance and forecast the effects of future initiatives in reducing loss exposure. In our experience at RiskLens, the qualitative representations of risk that are typically shown such as heat maps, ordinal scales, or color coded rankings are not sufficient in arming board members with the knowledge they need to justify loosening the company purse strings.

40% of IT security executives believe that the data they provide is actionable

This is where the story gets interesting. The data that Osterman Research gathered shows that only 40% of IT security executives believe that the data they are providing to the board is actionable. Clearly, IT executives and the board both agree that reporting isn't up to par. The typical reports that are being shown lack quantitative results, are far too technical, and don't enable business decisions. So, what next?

The solution for many organizations has been to adopt a cyber value-at-risk model like  FAIR, or factor analysis of information risk. FAIR is an international standard for measuring and managing information risk, which breaks down risk into discrete factors that can be quantified. The model is being adopted by a growing number of Fortune companies to report on cyber risk. FAIR is also an open-source model that can be freely used by any organization, and it is even supported by non-profit organizations like the  FAIR Institute. By using FAIR, organizations have been able to use a common taxonomy for talking about risk, quantify their cyber risk loss exposure, and better prioritize their risk mitigations based on their financial impact to the business.