A recent article in Corporate Board Member magazine by James Lam, succinctly sums up the growing frustration among boards of directors with cybersecurity measurement and reporting from CISOs—in a year when every few weeks has brought reports of a new data breach or other attack with seriously damaging costs to a major company.
Lam is Independent Director and Chair of the Risk Committee for E*TRADE Financial. “To put it bluntly, cybersecurity is in a state of crisis,” he writes. “More than 80 percent of U.S. companies say their systems have been hacked in an attempt to steal or change important data.”
Companies are spending more on security “but they continue to lose the battle” because cybersecurity and audit teams treat the problem as either a technical or a compliance issue.
They report to the board in “tactical, jargon-laden information [that] too often goes over the head of board members…and doesn’t get to the heart of the matter: What is the cost/benefit of the company’s cybersecurity investments, where are we versus where we need to be, and how are we measuring the risk?”
Lam urges boards to “cut through the noise” and lead a “shift to a different model in which cyber risk is quantified and integrated into the company’s overall enterprise risk framework, leveraging practices already applied to strategic, financial and operational risks.”
Read Lam’s specific recommendations in his article “How Boards Can Help Companies Improve Cybersecurity“.
Download our eBook “An Executive’s Guide to Cyber Risk Economics” for more on leading strategic change in cybersecurity.