CISO Cyber Communications Breakdown

Uploaded on 2016-04-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

CISOs and the board of directors are missing the mark when it comes to cybersecurity reporting.

According to Osterman Research, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cybersecurity threats.

Despite a general consensus that more automation can help address the security personnel staffing shortages, the report found that cybersecurity reporting still is dominated by manual methods: 81% of IT and security executives employ manually compiled spreadsheets to report data to the board. This process can lead to incorrect reporting and oversight of important data, whether it is due to intentional manipulation or human error.

One of those areas of oversight is security spending.

The most common type of information reported about cybersecurity issues is about known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data-loss incidents. Information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

The research also uncovered that IT and security executives say they frequently report breaches, but admit they don’t know about all of them: Four out of five respondents say they report major data breaches to the board, yet more than a third report they do not know all of the data breaches that occurred during 2015.

Interestingly, this lack of accuracy and completeness appears to worry a minority of businesses. Only two in five IT and security executives said that they are pressured by the board to provide an accurate report about data breaches and attack attempts; in fact, even fewer say there are repercussions if they do not provide an accurate report to the board.

 “Overall, the report shows the board isn't doing its job when it comes to holding their CISOs accountable for providing actionable and accurate information about their cyber-risk and IT—and security executives are not doing their jobs and making sure the information they report is understandable, actionable and accurate,” said a spokesperson for Bay Dynamics, which sponsored the report.

Overall, only one-third of IT and security executives in the survey said that they believe that the board understands the information about cybersecurity threats that is provided to them. And fewer than two in five IT and security executives believe that risk is reduced as a result of their conversations and reports to the board.

“Arguably, the most important statistic noted in the figure below is that only 37% of IT and security executives agree or strongly agree that organisational risk is reduced as a result of their conversations with and reports to the board, in fact, 5% of those we surveyed either disagree or strongly disagree that risk is reduced,” the report concluded.

“The point of IT and security executives presenting information to a board of directors should be informing the board about cybersecurity threats and what is being done to address them—at many organizations that clearly is not happening, and so boards are not helping to reduce risk.”

Infosecurity: http://bit.ly/22dJOu6

« Russian Cyber War Training Can Be A Killer
The Top 4 IT Risks For Small Businesses »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

WhiteHat Security

WhiteHat Security

WhiteHat’s products enable customers to “Hack Yourself First” so that they gain a greater understanding of the actual risk to their business.

Security Mentor

Security Mentor

Security Mentor provides innovative, online security awareness training designed for how people learn and work.

Bricata

Bricata

Bricata offers industry-leading IPS solutions for enterprise-wide threat prevention and unparalleled situational awareness.

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

Pareteum

Pareteum

Pareteum is a leading Global provider of mobile networking software and services. Our mission is to provide a single solution to the problem of fully enabling and securing the Mobile Cloud.

Cado Security

Cado Security

Cado Security is pushing digital forensics, and cyber incident response to the next level with an incident response software platform and specialist consulting services.

Netlinkz

Netlinkz

Netlinkz has developed the Virtual Secure Network (VSN) overlay technology platform, a breakthrough in connectivity security, speed, and simplicity.

Allied Telesis

Allied Telesis

Allied Telesis delivers the secure, flexible, and agile solutions needed to meet the expectations of any industry’s critical mission.

Xscale Accelerator

Xscale Accelerator

Xscale's vision is to create world-class startups out of India by transforming sales and providing access to global markets.

Data Protection Commission (DPC)

Data Protection Commission (DPC)

The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected.

Trenton Systems

Trenton Systems

Trenton Systems are committed to providing high-performance computing solutions to customers running mission-critical applications in harsh settings worldwide and across various industries.

SoftForum

SoftForum

SoftForum is a company specializing in next-generation information security solutions in the Quantum-Resistant-Cryptography (PQC) field.

Dapple Security

Dapple Security

Dapple Security is creating cutting edge technology utilizing responsible biometrics that protects people and privacy through a first-of-its-kind passwordless platform.

Aberrant

Aberrant

A radically new approach to managing information security. Aberrant is the single pane of glass through which a security program can be viewed.

Atlas Systems

Atlas Systems

Atlas Systems helps companies large and small accelerate their digital transformation journeys – expanding their capabilities and delivering tailored solutions including cybersecurity.

Black Belt Secure

Black Belt Secure

We provide critical cybersecurity services such as managed security, ransomware mitigation, penetration testing, system auditing and compliance services to your organization.