Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:01 AM
Connect Directly

3 Tips for Improving Communications with Top Management

Here are some steps security managers can take to deliver the information the executive suite needs to make better decisions on cyber security.

Corporate leadership finally understands that breaches can cost the company millions of dollars and that the future of the business depends on securing its network and IT infrastructure, according to a new report by Bay Dynamics.

The Ponemon Institute found in 2015 research that the average total cost of a data breach had increased 23 percent to $3.8 million from the previous two years. Make no mistake about it, the executive suite has noticed.

In fact, a new report released today by security analytics company Bay Dynamics found that 89 percent of board members say they are now “very involved” in making cyber risk decisions. 

“One of the most positive findings of the study is that top management now recognizes that a breach can be serious,” says Steven Grossman, vice president of program management at Bay Dynamics. “Management understands that victims can sue a company and it will be more than a $12 a month charge for credit card monitoring."

So now that the executive suite has its eye on IT security, the pressure is on security managers to report to top management in a more frequent and understandable way. Based on the Bay Dynamics report, the top three items the board wants from IT and security executives are the following:

1. Reports with clear language that does not require board members to be cyber experts. The report found that 81 percent of security executives say they use manually compiled spreadsheets to report data to the board. Grossman adds that typically security pros would use 30 to 40 spreadsheets to generate a report, which can lead to questions on how up-to-date or accurate the information is. He says what’s needed today are consistent reports that are easy to understand and are issued on a defined schedule; whatever the company deems appropriate.

2. Quantitative information about cyber risks. In the past, security executives would show data in a series of “green light” or “red light” charts that would outline potential vulnerabilities, but not detail specific data on how a vulnerability could impact the business. The study found that while only 40 percent of IT and security executives believed that their information was actionable, a full 97 percent of board members say they know exactly what to do or have a good idea of what to do with the information the technology executives present them. That kind of disconnect doesn’t cut it in an environment where a single breach can cost millions of dollars or take down a business for several weeks. For example, retailers need to know the financial impact of a breach of a POS system while a healthcare company needs to know the cost to the business of stolen medical records.

3. Progress made to address the company’s cyber risk. Here security managers need to focus on the vulnerabilities in terms of how the company has improved. It’s of value to a financial trading company to know that the company can patch a vulnerability in Windows within 24 hours once it's been identified. Executives can then discuss if that’s fast enough and set a schedule with the IT and security teams to receive updates that show progress over time on how the company is reducing that number.

Grossman adds that the security world is slowly catching up to the financial and sales domains. He says CFOs and sales managers have had analytics tools for managing the business for several years -- less so for security managers.

“Five years ago the CISO was reactive. Tthey would respond to an attack,” he explains. “And while technical expertise is still important, there is more emphasis on CISOs identifying what assets are of most value and what are the impacts of those threats.”  

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-24
IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747.
PUBLISHED: 2021-02-24
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in...
PUBLISHED: 2021-02-24
BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior).