Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/29/2016
12:40 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

New Report Identifies Broken Communication in Cybersecurity Board Reporting

Reporting to the Board: Where CISOs and the Board are Missing the Mark" Reveals Majority of IT and Security Executives Say Information They Provide is Not Actionable

SAN FRANCISCO, February 29, 2016 – Bay Dynamics is unveiling a new report today that details what kind of information IT and security executives report to the board of directors, how they report information and whether or not the information is effective in minimizing companies’ cyber risk. The report, titled, “Reporting to the Board: Where CISOs and the Board are Missing the Mark” reveals that only two in five IT and security executives feel the information they provide to the board of directors is actionable. Even fewer believe they are getting the help they need from the board to address cybersecurity threats.

“The report reveals that both the board and security professionals are not doing their jobs when it comes to security reporting,” said Feris Rifai, co-founder and CEO at Bay Dynamics. “The board isn’t holding IT and security executives accountable for providing accurate, traceable and actionable information and security executives are failing to report information that is accurate, traceable and actionable. Both parties must do better if they want to make the right decisions that minimize their cyber risk.” 

The report is based on a survey conducted during December 2015-January 2016 by the third party research company, Osterman Research, asking IT and security executives within 136 organizations about the types of cyber security activity they report to their board of directors. All of the respondents work for organizations that have at least 2,000 employees and are based in the United States.

Highlights from the report include:

·       IT and security executives tell the board what they want to hear, even though the information is often not actionable: The ability of IT and security executives to report meaningful information to their boards is lacking. Two-thirds of those surveyed agree or strongly agree that they know what to present to the board, however, only two in five IT and security executives agree or strongly agree that the information they provide to the board contains actionable information. In addition, only 39 percent of respondents believe they are getting the support they need from the board to address threats.

·       Cyber security reporting is dominated by manual methods: Eighty-one percent of IT and security executives employ manually compiled spreadsheets to report data to the board. This process can lead to incorrect reporting and oversight of important data, whether it is due to intentional manipulation or human error. 

·       Boards prefer qualitative to quantitative information: Fifty-three percent of IT and security executives indicate that their boards have a strong preference for qualitative information and 38 percent said boards have a strong preference for quantitative information. However, in order to make appropriate decisions, the board needs quantitative information in context, meaning qualitative information must be wrapped around quantitative information.

·       Security spending is less frequently reported: The most common type of information reported about cyber security issues is known vulnerabilities within the organizational systems, followed by recommendations on cyber security program improvements and specific details on data loss incidents. Information about the cost of cyber security programs and details about expenditures on specific projects or controls are not as commonly reported.

·       The type of data breached matters most: Eighty-four percent of respondents indicated that the most common criteria they use to determine which type of intrusion to report is the type of data affected – whether the data breached or attacked was sensitive or confidential, such as customers’ financial data or personal information, or corporate financial data.

“Security is now everyone’s problem - from the IT team to the C-suite and the boardroom. As a result, reporting the right type of information with the right context, in addition to making it actionable, has never been more critical,” said Michael Osterman, Principal Analyst at Osterman Research. “It is imperative that security executives reconsider how they’re getting their information, the type of information they’re reporting, and how they’re reporting it, so that the board can effectively take action to make smart security decisions.”

To download “Reporting to the Board: Where CISOs and the Board are Missing the Mark” go to: http://baydynamics.com/resources/reporting-to-the-board-where-cisos-and-the-board-are-missing-the-mark.

About Bay Dynamics

Bay Dynamics® is the market leader in predicting and stopping cyber-attacks before they happen. The company specializes in cyber risk predictive analytics, identifying behaviors of company insiders, third party contractors and outsiders that may lead to an attack. The company’s purpose-built Risk Fabric® platform assembles and correlates relevant data from existing tools in a novel patented way to provide actionable cyber risk insights, before it’s too late. Bay Dynamics enables some of the world’s largest organizations to understand the state of their cybersecurity posture, including contextual awareness of what their insiders, vendors and bad actors are doing, which is key to effective cyber risk management. 

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.