New Report Identifies Broken Communication in Cybersecurity Board Reporting

Reporting to the Board: Where CISOs and the Board are Missing the Mark” Reveals Majority of IT and Security Executives Say Information They Provide is Not Actionable

February 29, 2016

4 Min Read


SAN FRANCISCO, February 29, 2016 – Bay Dynamics is unveiling a new report today that details what kind of information IT and security executives report to the board of directors, how they report information and whether or not the information is effective in minimizing companies’ cyber risk. The report, titled, “Reporting to the Board: Where CISOs and the Board are Missing the Mark” reveals that only two in five IT and security executives feel the information they provide to the board of directors is actionable. Even fewer believe they are getting the help they need from the board to address cybersecurity threats.

“The report reveals that both the board and security professionals are not doing their jobs when it comes to security reporting,” said Feris Rifai, co-founder and CEO at Bay Dynamics. “The board isn’t holding IT and security executives accountable for providing accurate, traceable and actionable information and security executives are failing to report information that is accurate, traceable and actionable. Both parties must do better if they want to make the right decisions that minimize their cyber risk.” 

The report is based on a survey conducted during December 2015-January 2016 by the third party research company, Osterman Research, asking IT and security executives within 136 organizations about the types of cyber security activity they report to their board of directors. All of the respondents work for organizations that have at least 2,000 employees and are based in the United States.

Highlights from the report include:

·       IT and security executives tell the board what they want to hear, even though the information is often not actionable: The ability of IT and security executives to report meaningful information to their boards is lacking. Two-thirds of those surveyed agree or strongly agree that they know what to present to the board, however, only two in five IT and security executives agree or strongly agree that the information they provide to the board contains actionable information. In addition, only 39 percent of respondents believe they are getting the support they need from the board to address threats.

·       Cyber security reporting is dominated by manual methods: Eighty-one percent of IT and security executives employ manually compiled spreadsheets to report data to the board. This process can lead to incorrect reporting and oversight of important data, whether it is due to intentional manipulation or human error. 

·       Boards prefer qualitative to quantitative information: Fifty-three percent of IT and security executives indicate that their boards have a strong preference for qualitative information and 38 percent said boards have a strong preference for quantitative information. However, in order to make appropriate decisions, the board needs quantitative information in context, meaning qualitative information must be wrapped around quantitative information.

·       Security spending is less frequently reported: The most common type of information reported about cyber security issues is known vulnerabilities within the organizational systems, followed by recommendations on cyber security program improvements and specific details on data loss incidents. Information about the cost of cyber security programs and details about expenditures on specific projects or controls are not as commonly reported.

·       The type of data breached matters most: Eighty-four percent of respondents indicated that the most common criteria they use to determine which type of intrusion to report is the type of data affected – whether the data breached or attacked was sensitive or confidential, such as customers’ financial data or personal information, or corporate financial data.

“Security is now everyone’s problem - from the IT team to the C-suite and the boardroom. As a result, reporting the right type of information with the right context, in addition to making it actionable, has never been more critical,” said Michael Osterman, Principal Analyst at Osterman Research. “It is imperative that security executives reconsider how they’re getting their information, the type of information they’re reporting, and how they’re reporting it, so that the board can effectively take action to make smart security decisions.”

To download “Reporting to the Board: Where CISOs and the Board are Missing the Mark” go to:

About Bay Dynamics

Bay Dynamics® is the market leader in predicting and stopping cyber-attacks before they happen. The company specializes in cyber risk predictive analytics, identifying behaviors of company insiders, third party contractors and outsiders that may lead to an attack. The company’s purpose-built Risk Fabric® platform assembles and correlates relevant data from existing tools in a novel patented way to provide actionable cyber risk insights, before it’s too late. Bay Dynamics enables some of the world’s largest organizations to understand the state of their cybersecurity posture, including contextual awareness of what their insiders, vendors and bad actors are doing, which is key to effective cyber risk management. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights