CISO Cyber Communications Breakdown

CISOs and the board of directors are missing the mark when it comes to cybersecurity reporting.

According to Osterman Research, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cybersecurity threats.

Despite a general consensus that more automation can help address the security personnel staffing shortages, the report found that cybersecurity reporting still is dominated by manual methods: 81% of IT and security executives employ manually compiled spreadsheets to report data to the board. This process can lead to incorrect reporting and oversight of important data, whether it is due to intentional manipulation or human error.

One of those areas of oversight is security spending.

The most common type of information reported about cybersecurity issues is about known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data-loss incidents. Information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

The research also uncovered that IT and security executives say they frequently report breaches, but admit they don’t know about all of them: Four out of five respondents say they report major data breaches to the board, yet more than a third report they do not know all of the data breaches that occurred during 2015.

Interestingly, this lack of accuracy and completeness appears to worry a minority of businesses. Only two in five IT and security executives said that they are pressured by the board to provide an accurate report about data breaches and attack attempts; in fact, even fewer say there are repercussions if they do not provide an accurate report to the board.

 “Overall, the report shows the board isn't doing its job when it comes to holding their CISOs accountable for providing actionable and accurate information about their cyber-risk and IT—and security executives are not doing their jobs and making sure the information they report is understandable, actionable and accurate,” said a spokesperson for Bay Dynamics, which sponsored the report.

Overall, only one-third of IT and security executives in the survey said that they believe that the board understands the information about cybersecurity threats that is provided to them. And fewer than two in five IT and security executives believe that risk is reduced as a result of their conversations and reports to the board.

“Arguably, the most important statistic noted in the figure below is that only 37% of IT and security executives agree or strongly agree that organisational risk is reduced as a result of their conversations with and reports to the board, in fact, 5% of those we surveyed either disagree or strongly disagree that risk is reduced,” the report concluded.

“The point of IT and security executives presenting information to a board of directors should be informing the board about cybersecurity threats and what is being done to address them—at many organizations that clearly is not happening, and so boards are not helping to reduce risk.”

Infosecurity: http://bit.ly/22dJOu6

« Russian Cyber War Training Can Be A Killer
The Top 4 IT Risks For Small Businesses »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cyber Security Network

Cyber Security Network

Cyber Security Network provide specialist cyber security recruitment services.

BTWorks

BTWorks

BTWorks provides identity management and anti-phishing / smishing solutions for web and mobile apps.

Coro Cybersecurity

Coro Cybersecurity

Coro (formerly Coronet) empowers organizations to protect against malware, ransomware, phishing, and botnets - across devices, users, and cloud applications.

Flexera

Flexera

Flexera is reimagining the way software is bought, sold, managed and secured.

Core Security

Core Security

Core Security provides threat-aware identity, access, authentication and vulnerability management solutions.

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC) is one of the most distinguished Cybersecurity, Privacy and Information Security Conference in Thailand and Southeast Asia.

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

Temasoft

Temasoft

TEMASOFT is a software company focused on developing security and infrastructure products.

Data Eliminate

Data Eliminate

Data Eliminate provide data destruction, secure end-of-life IT asset disposal, and data protection consultancy services.

Razorpoint Cybersecurity

Razorpoint Cybersecurity

Razorpoint’s world-class security experts have provided advanced, effective cybersecurity expertise to corporate and public-sector organizations around the world.

Recon InfoSec

Recon InfoSec

The Recon InfoSec team includes analysts, architects, engineers, intrusion specialists, penetration testers, and operations experts.

Department of Homeland Security (DHS)

Department of Homeland Security (DHS)

The Department of Homeland Security has a vital mission: to secure the nation from the many threats we face. Our duties are wide-ranging, but our goal is clear - keeping America safe.

CampusGuard

CampusGuard

CampusGuard focuses on the cybersecurity and compliance needs of campus-based organizations including higher education, healthcare, and state and local government.

Appknox

Appknox

Appknox is the world’s most powerful plug-and-play security platform that helps developers, security researchers, and enterprises to build a safe and secure mobile ecosystem.

CyberForce Global

CyberForce Global

CyberForce Global are at the forefront of start-up technology recruitment in areas including cybersecurity, IT infrastructure, software, fintech, blockchain and more.

Cyber Brain Academy

Cyber Brain Academy

At Cyber Brain Academy, our mission is to provide high-quality IT certification training for the cyber security workforce.