Operations

6/14/2016
09:01 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

3 Tips for Improving Communications with Top Management

Here are some steps security managers can take to deliver the information the executive suite needs to make better decisions on cyber security.

Corporate leadership finally understands that breaches can cost the company millions of dollars and that the future of the business depends on securing its network and IT infrastructure, according to a new report by Bay Dynamics.

The Ponemon Institute found in 2015 research that the average total cost of a data breach had increased 23 percent to $3.8 million from the previous two years. Make no mistake about it, the executive suite has noticed.

In fact, a new report released today by security analytics company Bay Dynamics found that 89 percent of board members say they are now “very involved” in making cyber risk decisions. 

“One of the most positive findings of the study is that top management now recognizes that a breach can be serious,” says Steven Grossman, vice president of program management at Bay Dynamics. “Management understands that victims can sue a company and it will be more than a $12 a month charge for credit card monitoring."

So now that the executive suite has its eye on IT security, the pressure is on security managers to report to top management in a more frequent and understandable way. Based on the Bay Dynamics report, the top three items the board wants from IT and security executives are the following:

1. Reports with clear language that does not require board members to be cyber experts. The report found that 81 percent of security executives say they use manually compiled spreadsheets to report data to the board. Grossman adds that typically security pros would use 30 to 40 spreadsheets to generate a report, which can lead to questions on how up-to-date or accurate the information is. He says what’s needed today are consistent reports that are easy to understand and are issued on a defined schedule; whatever the company deems appropriate.

2. Quantitative information about cyber risks. In the past, security executives would show data in a series of “green light” or “red light” charts that would outline potential vulnerabilities, but not detail specific data on how a vulnerability could impact the business. The study found that while only 40 percent of IT and security executives believed that their information was actionable, a full 97 percent of board members say they know exactly what to do or have a good idea of what to do with the information the technology executives present them. That kind of disconnect doesn’t cut it in an environment where a single breach can cost millions of dollars or take down a business for several weeks. For example, retailers need to know the financial impact of a breach of a POS system while a healthcare company needs to know the cost to the business of stolen medical records.

3. Progress made to address the company’s cyber risk. Here security managers need to focus on the vulnerabilities in terms of how the company has improved. It’s of value to a financial trading company to know that the company can patch a vulnerability in Windows within 24 hours once it's been identified. Executives can then discuss if that’s fast enough and set a schedule with the IT and security teams to receive updates that show progress over time on how the company is reducing that number.

Grossman adds that the security world is slowly catching up to the financial and sales domains. He says CFOs and sales managers have had analytics tools for managing the business for several years -- less so for security managers.

“Five years ago the CISO was reactive. Tthey would respond to an attack,” he explains. “And while technical expertise is still important, there is more emphasis on CISOs identifying what assets are of most value and what are the impacts of those threats.”  

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.