Based on studies and interviews with corporate board members and chief information security officers (CISOs), the Cyber Balance Sheet, published by Focal Point Data Risk and produced by the Cyentia Institute, found that boardrooms are engaging in more conversations about security.
While the talks about cyber risk are more commonplace, the C-suite and security leaders are still struggling to effectively translate security risks into an effective decision-making framework that enables the business to operate within its proper risk appetite.
Not surprisingly, the report found that many organizations lack a formal cyber-risk appetite. Years of data breach headlines increase awareness, but less than half of respondents could describe their organization’s cyber-risk appetite quantitatively. This gap revealed why leaders second-guess and struggle to effectively weigh risks of new technologies, supply chains and other change factors.
In addition, metrics reportedly muddy what matters when it comes to boardroom reporting. Security leaders continue to share statistics like “compliance status” and “security program maturity.” Despite the need for decision makers to act swiftly with regard to risks from third parties and supply chains, those topics are less frequently included in the stats shared with the board.
As a result, the report found that finding the balance of topic coverage that yields the necessary return on reporting remains a problem. To fix the metrics puzzle, boards are pressing CISOs to find new reporting metrics that spur the most strategic, valuable returns in resourcing and evolving cybersecurity.
“This year’s Cyber Balance Sheet Report dispels the ‘cyber is a boardroom issue’ cliché by showing that not only have board members already received the cyber risk message loud and clear, they are actively initiating more discussion about breaches and threats that could upend their organizations,” said Andrew Cannata, Focal Point’s CISO and national cybersecurity practice leader, in a press release.
“The more important issue uncovered by the research is that this surge of interest – while commendable – seldom resolves executives’ two most important questions: ‘What is our risk appetite?’ and ‘Are we operating in or out of this comfort zone?’ When these questions are buried or unanswered, it becomes a recipe for miscalculation and false assurances. Helpfully, security teams and business leaders can use the report’s anecdotes and data to revisit how they frame risk management with leadership.”