Chief information security officers (CISOs) need to start reporting more meaningful information to their boards, according to a new report from Bay Dynamics and Osterman Research, “Reporting to the Board: Where CISOs and the Board are Missing the Mark.”
The survey found that 61 percent of CISOs believe they “know what boards want to hear” and that 60 percent think they can “fully answer the board’s questions.” Another 67 percent say they “know what to present to the board.”
Here’s the rub: Only 40 percent say they present actionable information. And just 34 percent think their boards understand the information being presented to them. In short, “IT and security executives tell the board what they want to hear, even though the information is often not actionable,” as the report puts it.
To close this communication gap CISOs should “communicate the value of data at risk using numbers that explain what it is and how to take action to protect it,” the report states. “Given that board members in many organizations are typically less technical than the IT and security executives reporting to them, the latter must contextualize the information in order to make it both understandable and actionable.”
In an interview, Bay Dynamics founder and CEO Feris Rifai said that boards and legal officers can do a better job holding CISOs accountable for how they’re compiling information. Rifai says they should assess whether the information is accurate, trustworthy, traceable and comprehensive.
To help that process along, Rifai suggests: “Give them quantifiable information in the right context. Show what it would mean to the business from a reputation standpoint or loss of sales. Be selective about what you want to show. … [CISOs] only get a certain amount of time [with the board], you want to make it so they can participate in reducing the overall risk of the company.”