Due to the impact of breaches to an organization, information security is an area that has become a board room concern.  Although it seems the C-Suite is onboard with cybersecurity as a business process, the recent US State of Cybercrime Survey reveals otherwise.

 

According the cybercrime survey, when it comes to the board of director’s alignment with cybersecurity issues they are horrendous, adequate or excellent with it.

 

  • 28% of respondents said their security leaders make no presentations at all to the board.
  • 26% of CISOs (1 in 4) provide an annual presentation to the board of directors.
  • 30% of surveyors said their senior security executives stay in regular contact with the board by providing them with quarterly cybersecurity presentations.
  • CISOs at larger organizations are more likely to make quarterly board presentations than smaller organizations.
  • 1/3 of respondents at small organizations don’t ever advise the board on cybersecurity efforts.
  • 18% of security leaders at larger organizations don’t advise the board on cybersecurity efforts.

 

These statistics are concerning when the C-Suite needs to be on board if information security and cybersecurity are going to become part of the business process.  Even though business leaders talk about the importance of cybersecurity, security pros feel there is still a huge disconnect.

 

  • An indication of this divide is that 42% of the survey respondents see cybersecurity as a corporate governance issue, but 42% of them don’t.
  • 30% of security pros find that board members and committees aren’t actively engaged in cybersecurity, while 25% say boards are involved.

 

One of the biggest problems is communicating security risks to the board effectively.  CISOs and CIOs need to talk of the realistic expectations of information security, as well as the complexity.  They also need to make clear that even though the organization could still get breached, not taking a holistic information security approach costs them more.

 

When presenting the information to higher up, trying to make it as simple as possible is another way CISOs or CIOs can make their communication approach more effective.  After all, the board doesn’t need all the details to understand the dangers bad security brings to the enterprise.

 

What has been your experience in communicating to the board about information security?  Are you met with resistance or do you avoid talking to them completely and just hope for the best?

 

Photo courtesy of wavebreakmedia