Boards ready to fire over bad security reporting

A lack of communication could lead to job loss

If CISOs don't do a good job of communicating, 59 percent of board members said that the security executives stand to lose their jobs, according to a new survey released today.

"If they're not up to par in the minds of the board, there will be action taken," said Ryan Stolte, co-founder and CTO at Bay Dynamics.

It marks an inflection point in how the boards look at cybersecurity, he said.

Previously, boards looked at breaches as an act of God or natural disaster, he said, or just fired the CISO even if the breach was not something they could have prevented.

"Not they're treating it as a risk management concern," he said. "It's a mind change."

CISOs are expected to have good security processes in place, to do their due diligence, and to take care of the fundamentals. For example, according to the latest Verizon data breach report, 63 percent of breaches involved stolen credentials because enterprises still weren't making effective use of two-factor authentication.

Ryan Stolte, co-founder and CTO at Bay Dynamics

"When you get these year-in-review reports from Verizon, you see that people are getting breached with stuff that they've known about for a long time," Stolte said.

If there's a breach, CISO must be able to show that they're running an effective operation, and are following industry best practices, he said.

"If you get attacked, how did you respond? How prepared were you? Your can have a cyber breach and keep your job as long as you've been minding the ship well," he said. "With the board paying more attention to good governance, it may trickle down to us actually doing good governance. We still might get breached, but we should have a good prescription for success. Follow it, and we'll be much less likely to have a problem."

As a result of the increase in cyber attacks and the associated rise in attention from the media, industry groups and regulators, boards are becoming better educated about cybersecurity. And they expect the CISO to be able to keep the board well informed.

"If your CFO walked into a board meeting and had sloppy numbers that didn't make sense and were inconsistent, he'd be gone," said Stolte.

Now, boards are subjecting CISOs to the same kind of scrutiny.

"They're taking it very seriously, and they're expecting quality results," he said.

According to the survey, which was conducted by Osterman Research, cyber risk is now a top priority for board members, right up there with financial risk, regulatory risk, competitive risk, and legal risk.

But they expect security reports to present information that they need to make decisions. That requires the information that they need to make investments for cyber risk planning and expenditures, budget estimates, direct costs and detailed spending information.

In addition, 54 percent of board members said that the data they were getting was too technical, and 85 percent said that IT and security executives need to improve the way they report to the board.

If the reports aren't useful and actionable, 93 percent said that there would be consequences. These included termination, said 59 percent, or warnings, said 34 percent.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOOsterman ResearchVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place