Operations

6/14/2016
09:01 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

3 Tips for Improving Communications with Top Management

Here are some steps security managers can take to deliver the information the executive suite needs to make better decisions on cyber security.

Corporate leadership finally understands that breaches can cost the company millions of dollars and that the future of the business depends on securing its network and IT infrastructure, according to a new report by Bay Dynamics.

The Ponemon Institute found in 2015 research that the average total cost of a data breach had increased 23 percent to $3.8 million from the previous two years. Make no mistake about it, the executive suite has noticed.

In fact, a new report released today by security analytics company Bay Dynamics found that 89 percent of board members say they are now “very involved” in making cyber risk decisions. 

“One of the most positive findings of the study is that top management now recognizes that a breach can be serious,” says Steven Grossman, vice president of program management at Bay Dynamics. “Management understands that victims can sue a company and it will be more than a $12 a month charge for credit card monitoring."

So now that the executive suite has its eye on IT security, the pressure is on security managers to report to top management in a more frequent and understandable way. Based on the Bay Dynamics report, the top three items the board wants from IT and security executives are the following:

1. Reports with clear language that does not require board members to be cyber experts. The report found that 81 percent of security executives say they use manually compiled spreadsheets to report data to the board. Grossman adds that typically security pros would use 30 to 40 spreadsheets to generate a report, which can lead to questions on how up-to-date or accurate the information is. He says what’s needed today are consistent reports that are easy to understand and are issued on a defined schedule; whatever the company deems appropriate.

2. Quantitative information about cyber risks. In the past, security executives would show data in a series of “green light” or “red light” charts that would outline potential vulnerabilities, but not detail specific data on how a vulnerability could impact the business. The study found that while only 40 percent of IT and security executives believed that their information was actionable, a full 97 percent of board members say they know exactly what to do or have a good idea of what to do with the information the technology executives present them. That kind of disconnect doesn’t cut it in an environment where a single breach can cost millions of dollars or take down a business for several weeks. For example, retailers need to know the financial impact of a breach of a POS system while a healthcare company needs to know the cost to the business of stolen medical records.

3. Progress made to address the company’s cyber risk. Here security managers need to focus on the vulnerabilities in terms of how the company has improved. It’s of value to a financial trading company to know that the company can patch a vulnerability in Windows within 24 hours once it's been identified. Executives can then discuss if that’s fast enough and set a schedule with the IT and security teams to receive updates that show progress over time on how the company is reducing that number.

Grossman adds that the security world is slowly catching up to the financial and sales domains. He says CFOs and sales managers have had analytics tools for managing the business for several years -- less so for security managers.

“Five years ago the CISO was reactive. Tthey would respond to an attack,” he explains. “And while technical expertise is still important, there is more emphasis on CISOs identifying what assets are of most value and what are the impacts of those threats.”  

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.