How Boards of Directors Really Feel About Cybersecurity Reports

New Report Reveals Majority of Board Members Say Cybersecurity Executives Will Lose Their Jobs for Poor Reporting

Bay Dynamics Unveils “How Boards of Directors Really Feel about Cyber Security Reports”

Bay Dynamics®, a leader in cyber risk analytics, unveiled today a new report that details board members’ perspectives about the cyber risk information reported to them by IT and security executives. The report titled, “How Boards of Directors Really Feel about Cyber Security Reports,” reveals that more than half of IT and security executives will lose their jobs as a result of failing to provide useful, actionable information. It also highlights significant contradictions such as while the majority (70 percent) of board members say they understand everything they’re being told by IT and security executives in their presentations, more than half believe the data presented is too technical.

The report is based on a nationwide survey, conducted by the third party research firm Osterman Research, of 125 enterprise executives that actively serve on a board of directors and receive reports about companies’ cyber security programs. Some of the additional findings include:

• The board is paying attention: 89 percent of board members said they are very involved in making cyber risk decisions.
• Cyber risks outweigh other risks: Cyber risks were the highest priority for 26 percent of board members surveyed, while other risks such as financial, legal, regulatory and competitive risks had the “highest priority” scores no higher than 16 to 22 percent.
• There’s room for reporting improvements: Although more than three in five board members say they are both significantly or very “satisfied” and “inspired” after the typical presentation from IT and security executives about the company’s cyber risk, the majority (85 percent) believe that IT and security executives need to improve the way they report to the board.

The board report complements another report released by Bay Dynamics in February 2016 titled “Reporting to the Board: Where CISOs and the Board are Missing the Mark” which is based on a survey conducted by Osterman Research asking IT and security executives about how they report information to the board. Highlights of comparable data from both reports include:

• The board says cyber risk information is actionable. IT and security executives say otherwise: While an overwhelming majority of board members (97 percent) say they know exactly what to do or have a good idea of what to do with the information they are presented by IT and security executives, only 40 percent of IT and security executives believe the information they provide to the board is actionable.
• Board members say they understand, but IT and security executives don’t believe they do: Although 70 percent of board members surveyed said they understand everything they’re being told by IT and security executives in their presentations, only one third of IT and security executives believe the board comprehends the cyber security information provided to them.
• There’s confusion regarding how cyber risk information is collected: Half of board member respondents believe IT and security executives use manually compiled spreadsheets to report cyber security data to the board. When in actuality, 81 percent of IT and security executives report they employ manually compiled spreadsheets to report data to the board.