CISO Cyber Communications Breakdown

Uploaded on 2016-04-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

CISOs and the board of directors are missing the mark when it comes to cybersecurity reporting.

According to Osterman Research, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cybersecurity threats.

Despite a general consensus that more automation can help address the security personnel staffing shortages, the report found that cybersecurity reporting still is dominated by manual methods: 81% of IT and security executives employ manually compiled spreadsheets to report data to the board. This process can lead to incorrect reporting and oversight of important data, whether it is due to intentional manipulation or human error.

One of those areas of oversight is security spending.

The most common type of information reported about cybersecurity issues is about known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data-loss incidents. Information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

The research also uncovered that IT and security executives say they frequently report breaches, but admit they don’t know about all of them: Four out of five respondents say they report major data breaches to the board, yet more than a third report they do not know all of the data breaches that occurred during 2015.

Interestingly, this lack of accuracy and completeness appears to worry a minority of businesses. Only two in five IT and security executives said that they are pressured by the board to provide an accurate report about data breaches and attack attempts; in fact, even fewer say there are repercussions if they do not provide an accurate report to the board.

 “Overall, the report shows the board isn't doing its job when it comes to holding their CISOs accountable for providing actionable and accurate information about their cyber-risk and IT—and security executives are not doing their jobs and making sure the information they report is understandable, actionable and accurate,” said a spokesperson for Bay Dynamics, which sponsored the report.

Overall, only one-third of IT and security executives in the survey said that they believe that the board understands the information about cybersecurity threats that is provided to them. And fewer than two in five IT and security executives believe that risk is reduced as a result of their conversations and reports to the board.

“Arguably, the most important statistic noted in the figure below is that only 37% of IT and security executives agree or strongly agree that organisational risk is reduced as a result of their conversations with and reports to the board, in fact, 5% of those we surveyed either disagree or strongly disagree that risk is reduced,” the report concluded.

“The point of IT and security executives presenting information to a board of directors should be informing the board about cybersecurity threats and what is being done to address them—at many organizations that clearly is not happening, and so boards are not helping to reduce risk.”

Infosecurity: http://bit.ly/22dJOu6

« Russian Cyber War Training Can Be A Killer
The Top 4 IT Risks For Small Businesses »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Titus

Titus

Titus is a global leader in enterprise-grade data protection solutions.

PFP Cybersecurity

PFP Cybersecurity

PFP provides a SaaS solution for life-cycle protection based on our IoT security platform and power usage analytics.

RazorSecure

RazorSecure

RazorSecure offers products and services to enhance railway cyber security, by protecting and monitoring networks and key systems.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

TeskaLabs

TeskaLabs

TeskaLabs is a software vendor of cybersecurity and data privacy products.

Applied Magnetics Laboratory (AML)

Applied Magnetics Laboratory (AML)

Applied Magnetics Laboratory is a manufacturer of military security and data destruction equipment for sensitive, classified, and secret information.

Infosec Global

Infosec Global

Infosec Global provides technology innovation, thought leadership and expertise in cryptographic life-cycle management.

Research Institute in Verified Trustworthy Software Systems (VeTSS)

Research Institute in Verified Trustworthy Software Systems (VeTSS)

The main purpose of VeTSS is to support program analysis, testing and verification, to achieve guarantees of software correctness, safety, and security.

Dhound

Dhound

Dhound is a cybersecurity company providing web application penetration testing.

Revere Technologies

Revere Technologies

Revere Technologies is a pure-play cyber security solutions and services provider in Sub-Saharan Africa.

LogicBoost Labs

LogicBoost Labs

LogicBoost Labs has the expertise, experience, funding and connections to make your startup succeed. We are always interested in new ways to change the world for the better.

Vectra AI

Vectra AI

Vectra threat detection & response - see and stop threats across hybrid and multi-cloud enterprises.

Focus on Security

Focus on Security

Focus on Security are Cyber Security recruitment specialists. We’re dedicated to connecting you with the top Cyber Security talent across the globe. We focus on partnerships and results.

Beetles Cyber Security

Beetles Cyber Security

Beetles is a crowdsourced penetration testing platform designed to build a trusted, hacker-centric approach to protectan organization’s digital attack surface.

Bearer

Bearer

Bearer helps modern teams ship trustworthy products with the help of our code security solution built for security, privacy and engineering teams.

SecuLore

SecuLore

An innovator in public-safety-focused cybersecurity, SecuLore is dedicated to protecting critical infrastructure from cyber attacks.