CISO Cyber Communications Breakdown

Uploaded on 2016-04-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

CISOs and the board of directors are missing the mark when it comes to cybersecurity reporting.

According to Osterman Research, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cybersecurity threats.

Despite a general consensus that more automation can help address the security personnel staffing shortages, the report found that cybersecurity reporting still is dominated by manual methods: 81% of IT and security executives employ manually compiled spreadsheets to report data to the board. This process can lead to incorrect reporting and oversight of important data, whether it is due to intentional manipulation or human error.

One of those areas of oversight is security spending.

The most common type of information reported about cybersecurity issues is about known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data-loss incidents. Information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

The research also uncovered that IT and security executives say they frequently report breaches, but admit they don’t know about all of them: Four out of five respondents say they report major data breaches to the board, yet more than a third report they do not know all of the data breaches that occurred during 2015.

Interestingly, this lack of accuracy and completeness appears to worry a minority of businesses. Only two in five IT and security executives said that they are pressured by the board to provide an accurate report about data breaches and attack attempts; in fact, even fewer say there are repercussions if they do not provide an accurate report to the board.

 “Overall, the report shows the board isn't doing its job when it comes to holding their CISOs accountable for providing actionable and accurate information about their cyber-risk and IT—and security executives are not doing their jobs and making sure the information they report is understandable, actionable and accurate,” said a spokesperson for Bay Dynamics, which sponsored the report.

Overall, only one-third of IT and security executives in the survey said that they believe that the board understands the information about cybersecurity threats that is provided to them. And fewer than two in five IT and security executives believe that risk is reduced as a result of their conversations and reports to the board.

“Arguably, the most important statistic noted in the figure below is that only 37% of IT and security executives agree or strongly agree that organisational risk is reduced as a result of their conversations with and reports to the board, in fact, 5% of those we surveyed either disagree or strongly disagree that risk is reduced,” the report concluded.

“The point of IT and security executives presenting information to a board of directors should be informing the board about cybersecurity threats and what is being done to address them—at many organizations that clearly is not happening, and so boards are not helping to reduce risk.”

Infosecurity: http://bit.ly/22dJOu6

« Russian Cyber War Training Can Be A Killer
The Top 4 IT Risks For Small Businesses »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CyberSift

CyberSift

CyberSift is a cyber security provider. We develop threat detection software which needs no infrastructure changes as it integrates with almost any security tool.

Internet Storm Center (ISC)

Internet Storm Center (ISC)

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with ISPs to fight back against the most malicious attackers.

Dermalog Identification Systems

Dermalog Identification Systems

Dermalog Identification Systems is a pioneer in biometry and the largest German manufacturer of biometric devices and systems.

Indusface

Indusface

Indusface offers best website security, web application firewall and SSL certificate to keep your online business much safer.

Total Cyber-Sec

Total Cyber-Sec

Total Cyber-Sec is a company specialized in providing Professional Information Security and Cybersecurity Services.

Belkasoft

Belkasoft

Belkasoft is a software vendor providing public agencies, corporate security teams, and private investigators with digital forensic solutions.

Knovos

Knovos

Knovos is a leading technology innovator developing solutions for automating, integrating, and innovating Information Governance.

BeyondTrust

BeyondTrust

BeyondTrust is a leader in Privileged Access Management, offering a seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access.

Datacentrix

Datacentrix

Datacentrix provides end-to-end cybersecurity services for the operational technology (OT) and IT environments to monitor, assess and defend our customers' information assets.

ActZero

ActZero

ActZero’s security platform leverages proprietary AI-based systems and full-stack visibility to detect, analyze, contain, and disrupt threats.

EkoCyber

EkoCyber

EkoCyber partner with businesses as a value-added MSSP to provide top-tier, trusted and transparent cyber security services at an affordable price point.

aFFirmFirst

aFFirmFirst

aFFirmFirst is a unique software solution offering a simple yet effective way for businesses to protect and control their online images and logo, as well as allowing one-click website verification.

AccessIT Group

AccessIT Group

AccessIT Group is a specialized cybersecurity solutions provider offering a full range of advanced security services.

AI Security Institute (AISI)

AI Security Institute (AISI)

The AI Security Institute’s mission is to minimise surprise to the UK and humanity from rapid and unexpected advances in AI.

Odaseva

Odaseva

Odaseva delivers the strongest data security solution for enterprises running on Salesforce, safeguarding confidentiality and integrity of critical business information.

Gcore

Gcore

Gcore is an international leader in public cloud and edge computing, content delivery, hosting, and security solutions.