Why Is Security Reporting Still Failing?

Accountability is now a major force in cybersecurity. We’ve seen the Securities and Exchange Commission (SEC) hold the SolarWinds CISO. Timothy Brown, to account, accusing him of overstating cybersecurity practices and failing to disclose known risks while Uber’s former CISO, Joe Sullivan, narrowly escaped going to jail for failing to disclose a breach. Stateside, the SEC introduced new incident reporting requirements with respect to timely disclosure last year and closer to home NIS2 will also introduce accountability requirements for corporate management in October which could see them fined and banned or discharged from executing a managerial function.

What this means is that the pressure to effectively communicate risk to the board has increased enormously yet it’s still an area that many struggle with.

From the CISO’s perspective, there’s a difficulty in communicating abstract concepts to a technically challenged board. According to the Voice of the CISO Report 2023, 62% believe cybersecurity expertise should be a board-level requirement to prevent this issue, revealing that technical knowledge is lacking in the board room. 

On the other side of the divide, a PWC Pulse Survey found only 32% of corporate directors say they are completely satisfied with the information they are given on cybersecurity, suggesting that the way information is imparted is impairing decision making.  Another recent survey found only 69% said they see eye-to-eye with their CISO and the Voice of the CISO report found only 51% of CISOs feel they have their board’s backing compared to 71% the year before.
 
Resolving this disconnect will not be easy. Nearly a quarter (24%) of all UK businesses do not feel confident communicating cyber risk to directors, trustees and senior managers according to the UK government’s Cyber security skills in the UK labour market 2023 report. Moreover, 35% said management don’t understand the staffing needs nor the cyber risks facing the organisation. And 40% do not think their senior leaders understand when cyber security breaches need to be reported externally or the steps needed to manage a breach. 

Failing to adequately communicate risk can negate any security gains and seriously undermine security initiatives and jeopardise budget.

But it also sees an over emphasis on statistical outcomes and how effective the business is at stopping attacks rather than the acceptance of risk and a focus on resilience. After all, attacks are inevitable and it’s how these are dealt with and their potential impact that matter. So, the problem for the CISO becomes one of educating the board and interpreting technical jargon all before they can get on to the nitty gritty of how risk is being assessed.

It's here that CISOs are making their biggest mistake and during which they will often lose their audience. The board will switch off when confronted by such intangibles as risk scores and matrices and vectors, even if those numbers are presented well. For them, it’s all about sustaining business as usual and preventing disruption. So, the most effective way to communicate cyber threats and mitigation is to focus on the risk to those business processes and the associated business impacts. Understanding the impact radius of a breach or attack can provide the context needed to then justify the need to refine processes and controls.

For example, instead of using a “Red/Amber/Green” (RAG) status or numbers to indicate a perceived risk, reporting should focus on the actual outcomes of a risk occurring and what this would mean to the business in practical terms – in essence the potential costs. This might be in the form of a loss of business, reputational damage, financial loss or non-compliance and punitive measures i.e. penalties. Such impacts are easier to relate to and if the risk is more easily quantified and understood then it is much more likely to secure the resources needed to control it, which is ultimately the CISO’s goal.

Measurements do of course have a place but being able to draw upon comparisons helps demonstrate progress made. An example here might be assessing the cyber maturity of the business which is typically evaluated against a risk framework such as the NIST CSF. It features six easily understood categories (identify, protect, detect, respond and recover alongside the overall theme of governance) and the framework itself aims to “provide a common language for communicating inside and outside the organisation about cybersecurity risks, capabilities, needs and expectations”. In the case of a maturity assessment, those six categories are rated on a sliding scale with recommendations for improvement to move the business forward in its journey towards cyber maturity.

Conducted on a regular basis, this type of easily intelligible information can then help evaluate current provisioning and guide future spend and investment.

The maturity assessment is just a single – albeit important – facet when it comes to reporting to the board. In addition, CISO’s usually routinely provide updates on changes to the risk landscape and how these are being prioritised, security incidents and projects and initiatives, provided on a quarterly, six monthly or annual basis. The RSAC Executive Security Action Forum (ESAF) delves into these other areas in more depth in its report, “What top CISOs include in updates to the board” and provides some interesting insights into ways in which information can be conveyed more meaningfully from using hypothetical scenarios to qualitative observations. 

Interestingly, how the CISOs in the report present their information is usually determined by their accountability to the board. So those that believe they should show progress over time were more likely to resort to metrics, those focused on delivering results resorted to a roadmap and those looking to manage and prioritise risk tended to use a risk framework. Of course, the emphasis towards greater accountability is likely to see them need to deliver on all three fronts.

If we go back to the Uber case, however, Sullivan says there are some clear lessons to be learnt. He has since gone on record as saying the company did as advised, observing the terms of its Directors and Officers (D&O) Insurance policy which is supposed to indemnify senior management against prosecution in such scenarios. As specified in the data breach policy, the legal and communications teams were called, and the CEO kept informed. Their mistake, he says, was that the company didn’t call in a third-party investigator to review how the breach was handled, ensuring true transparency.

It's a situation that no CISO wants to be in but when it does happen, those communication skills and being aligned with the board can make all the difference. It gets both on the same page, is more likely to lead to effective decision making and to help make the call when the time comes to bring in the specialists.

Phil Robinson is Principal Consultant at Prism Infosec

Image: Ideogram

You Might Also Read: 

Cyber Security Governance Is A Leadership Responsibility:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Helping CISOs Embrace Artificial Intelligence
Amazon Invests $2.75bn In AI Startup »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Davis Wright Tremaine (DWT)

Davis Wright Tremaine (DWT)

Davis Wright Tremaine is a full-service law firm with offices throughout the US and in Shanghai, China. Practice areas include Technology, Privacy & Security.

Beyond Security

Beyond Security

Beyond Security is a leader in automated vulnerability assessment and compliance solutions - enabling customers to accurately assess and manage security weaknesses in their networks and applications.

MailGuard

MailGuard

MailGuard delivers a full suite of security solutions across email and web to protect your business before threats reach your environment.

Cyber Security For Critical Manufacturing (ManuSec)

Cyber Security For Critical Manufacturing (ManuSec)

Cyber Security For Critical Manufacturing (Manusec) is a global series of summits focusing on Cyber Security for Critical Manufacturing Sectors.

Secnology

Secnology

Secnology is dedicated to developing and providing the most powerful and user friendly event analysis and security management solution.

ThreatMark

ThreatMark

ThreatMark provides fraud detection solutions for digital banking and payments.

Delta Risk

Delta Risk

Delta Risk is a global provider of managed security services and cyber security risk management solutions to government and private sector clients.

Digittrade

Digittrade

Digittrade develop and produce external encrypted hard disks and secure communications apps.

LUCY Security

LUCY Security

LUCY is the answer when you want to increase your IT security, maintain your cyber security awareness, or test your IT defenses.

ES2

ES2

ES2 is a consulting organisation specialising in Enterprise Security and Solutions Services.

Forum of Incident Response & Security Teams (FIRST)

Forum of Incident Response & Security Teams (FIRST)

FIRST is the global Forum of Incident Response and Security Teams.

Verichains

Verichains

Verichains Lab is a pioneer and leading APAC blockchain security firm with extensive expertise in the areas of security, cryptography and core blockchain technology.

Goldilock

Goldilock

Goldilock is redefining how sensitive data, devices, networks and critical infrastructure can be secured.

Certcube Labs

Certcube Labs

Certcube Labs provide a broad range of services in the areas of Assessments, Development, Risk Advisory, Blockchain, Forensics Investigations, Managed Security Solutions, and IT Security Trainings.

Tychon

Tychon

Tychon develops advanced enterprise endpoint management technology that enables commercial and government organizations to bridge the gap between security and IT operations.

Attura

Attura

Atturra is one of Australia's leading advisory and IT solutions providers, focused on providing end-to-end transformation services to its clients.