Here are some steps security managers can take to deliver the information the executive suite needs to make better decisions on cyber security.
Corporate leadership finally understands that breaches can cost the company millions of dollars and that the future of the business depends on securing its network and IT infrastructure, according to a new report by Bay Dynamics.
The Ponemon Institute found in 2015 research that the average total cost of a data breach had increased 23 percent to $3.8 million from the previous two years. Make no mistake about it, the executive suite has noticed.
In fact, a new report released today by security analytics company Bay Dynamics found that 89 percent of board members say they are now “very involved” in making cyber risk decisions.
“One of the most positive findings of the study is that top management now recognizes that a breach can be serious,” says Steven Grossman, vice president of program management at Bay Dynamics. “Management understands that victims can sue a company and it will be more than a $12 a month charge for credit card monitoring.”
So now that the executive suite has its eye on IT security, the pressure is on security managers to report to top management in a more frequent and understandable way. Based on the Bay Dynamics report, the top three items the board wants from IT and security executives are the following:
1. Reports with clear language that does not require board members to be cyber experts. The report found that 81 percent of security executives say they use manually compiled spreadsheets to report data to the board. Grossman adds that typically security pros would use 30 to 40 spreadsheets to generate a report, which can lead to questions on how up-to-date or accurate the information is. He says what’s needed today are consistent reports that are easy to understand and are issued on a defined schedule; whatever the company deems appropriate.
2. Quantitative information about cyber risks. In the past, security executives would show data in a series of “green light” or “red light” charts that would outline potential vulnerabilities, but not detail specific data on how a vulnerability could impact the business. The study found that while only 40 percent of IT and security executives believed that their information was actionable, a full 97 percent of board members say they know exactly what to do or have a good idea of what to do with the information the technology executives present them. That kind of disconnect doesn’t cut it in an environment where a single breach can cost millions of dollars or take down a business for several weeks. For example, retailers need to know the financial impact of a breach of a POS system while a healthcare company needs to know the cost to the business of stolen medical records.
3. Progress made to address the company’s cyber risk. Here security managers need to focus on the vulnerabilities in terms of how the company has improved. It’s of value to a financial trading company to know that the company can patch a vulnerability in Windows within 24 hours once it’s been identified. Executives can then discuss if that’s fast enough and set a schedule with the IT and security teams to receive updates that show progress over time on how the company is reducing that number.
Grossman adds that the security world is slowly catching up to the financial and sales domains. He says CFOs and sales managers have had analytics tools for managing the business for several years — less so for security managers.
“Five years ago the CISO was reactive. Tthey would respond to an attack,” he explains. “And while technical expertise is still important, there is more emphasis on CISOs identifying what assets are of most value and what are the impacts of those threats.”
Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio