FAIR Institute Member Wade Baker surveyed over a hundred CISOs and corporate board directors to find out just why these two groups have so much trouble communicating. The results are in the just released Cyber Balance Sheet from Wade’s Cyentia Institute and risk management firm Focal Point (FAIR Institute Chairman Jack Jones was a contributor).
The report finds, to start, that “the things cited by Board members as most critical fell dead last among CISOs.” Some of the glaring communication gaps between board directors and CISOs surfaced by the survey include:
- Board members think “data protection” is by far the primary value of cybersecurity to the business. CISOs called “security guidance” the primary value.
- 42% of CISOs said they are “confident” in their security program’s effectiveness. 49% of board directors said they are “NOT confident”.
- 80% of board members surveyed value “risk posture” as the most important metric for reporting. Less than 20% of CISOs thought the same. In practice, however, more than 50% do deliver risk posture reports to the board – but board members find them too technical.
- The CISOs in the survey mostly measure cyber risk qualitatively with categorical ratings or numeric scores. As one survey participant admitted, “We’re doing all the things Jack Jones says you shouldn’t do.” Board directors placed categorical grades at the bottom of their wish list, preferring to hear cyber risk discussed like other enterprise risk management concerns. But they were surprisingly lenient toward CISOs. Their expectation was “tell me a story and then back it up with a few numbers.”
The Cyber Balance Sheet concludes on a positive and practical note, with some practice balance sheets for CISOs to create an Assets vs. Liability message to describe security posture to a board, as well as this list of Top 10 Tips from both CISOs and boards on how to improve communication:
[Click the infographic below to enlarge.]