CISO Cyber Communications Breakdown

CISOs and the board of directors are missing the mark when it comes to cybersecurity reporting.

According to Osterman Research, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cybersecurity threats.

Despite a general consensus that more automation can help address the security personnel staffing shortages, the report found that cybersecurity reporting still is dominated by manual methods: 81% of IT and security executives employ manually compiled spreadsheets to report data to the board. This process can lead to incorrect reporting and oversight of important data, whether it is due to intentional manipulation or human error.

One of those areas of oversight is security spending.

The most common type of information reported about cybersecurity issues is about known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data-loss incidents. Information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

The research also uncovered that IT and security executives say they frequently report breaches, but admit they don’t know about all of them: Four out of five respondents say they report major data breaches to the board, yet more than a third report they do not know all of the data breaches that occurred during 2015.

Interestingly, this lack of accuracy and completeness appears to worry a minority of businesses. Only two in five IT and security executives said that they are pressured by the board to provide an accurate report about data breaches and attack attempts; in fact, even fewer say there are repercussions if they do not provide an accurate report to the board.

 “Overall, the report shows the board isn't doing its job when it comes to holding their CISOs accountable for providing actionable and accurate information about their cyber-risk and IT—and security executives are not doing their jobs and making sure the information they report is understandable, actionable and accurate,” said a spokesperson for Bay Dynamics, which sponsored the report.

Overall, only one-third of IT and security executives in the survey said that they believe that the board understands the information about cybersecurity threats that is provided to them. And fewer than two in five IT and security executives believe that risk is reduced as a result of their conversations and reports to the board.

“Arguably, the most important statistic noted in the figure below is that only 37% of IT and security executives agree or strongly agree that organisational risk is reduced as a result of their conversations with and reports to the board, in fact, 5% of those we surveyed either disagree or strongly disagree that risk is reduced,” the report concluded.

“The point of IT and security executives presenting information to a board of directors should be informing the board about cybersecurity threats and what is being done to address them—at many organizations that clearly is not happening, and so boards are not helping to reduce risk.”

Infosecurity: http://bit.ly/22dJOu6

« Russian Cyber War Training Can Be A Killer
The Top 4 IT Risks For Small Businesses »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Synovum

Synovum

Synovum was formed with the intention to provide high quality advice, consultancy, training and project management services to clients in all sectors of industry.

GrammaTech

GrammaTech

GrammaTech is a leading developer of software-assurance tools and advanced cyber-security solutions.

MNCERT/CC

MNCERT/CC

MNCERT/CC is the national Computer Emergency Response Team for Mongolia.

Deductive Labs

Deductive Labs

Deductive Labs consulting services help customers with their technology, security and automation challenges.

MSG Systems

MSG Systems

MSG are committed to intelligent IT and industry solutions and offer independent consulting on all aspects of information security.

Atomicorp

Atomicorp

Atomicorp, the leader in Secure Linux, is a developer of solutions for the protection and support of cloud, virtual, shared, and dedicated web hosting environments.

Digital Hands

Digital Hands

Digital Hands is an award-winning managed security services provider.

OmniNet

OmniNet

OmniNet delivers the next generation of cybersecurity and is the only provider in the market to move the edge of small businesses to a virtual, omnipresent perimeter.

Phirelight Security Solutions

Phirelight Security Solutions

Phirelight empowers an enterprise to easily understand how their networks behave, while at the same time assessing and managing cyber threats in real time.

Guardian Data Destruction

Guardian Data Destruction

Guardian Data Destruction provides a comprehensive suite of onsite e-data destruction services.

Cyber Lockout

Cyber Lockout

Comprehensive ransomware insurance and preventative cybersecurity technology solution, working together to help protect businesses 24/7/365.

Ontinue

Ontinue

Ontinue ION is an MXDR service that provides Nonstop SecOps through five key capabilities that enable your organization to respond to attacks and continuously reduce risk.

Glasstrail

Glasstrail

Glasstrail are single-minded about helping organisations gather intelligence and manage vulnerabilities in their attack surface before adversaries exploit them.

Lineaje

Lineaje

Lineaje solves critical Software Supply Chain security problems faced by every organization that builds, uses or sells software.

TrueBees

TrueBees

TrueBees is the first deepfakes detector able to detect AI-generated portraits shared on social media and to prevent their diffusion across the web.

Anetac

Anetac

Developed by seasoned cybersecurity experts, the Anetac Identity and Security Platform protects threat surface exploited via service accounts.