Today, Focal Point published the inaugural Cyber Balance Sheet Report - a groundbreaking research study directed at corporate board members and CISOs that aims to define the best ways for both parties to productively discuss security, governance, and cyber risk management in the boardroom. Six months in the making, this study is the first of its kind, using in-depth surveys and interviews of board members and CISOs to identify the most common cybersecurity communication gaps and establish a set of principles to allow for better collaboration.
The full report can be downloaded here.
Bridging the Gap
The Cyber Balance Sheet Report was independently researched and produced by The Cyentia Institute (Cyentia), a cybersecurity research firm co-founded by Dr. Wade Baker, widely known as the father of the Verizon Data Breach Investigation Report (DBIR). Focal Point and Cyentia worked together to conduct comprehensive interviews of more than 80 CISOs, board members, and subject matter experts to identify the most common conversation topics, concerns, misunderstandings and communication breakdowns in boardroom discussions about cyber risk.
“For years pundits have been saying ‘Cyber needs to be a boardroom issue,’ but the Cyber Balance Sheet Report replaces this sound bite with the most illuminating look yet at where cyber issues are making headway with boards or falling off the table,” said Yong-Gon Chon, CEO of Focal Point.
The Report features six Balance Points – common areas of discussion where the opinions, philosophies, and goals of board members and cyber professionals tend to diverge. Each Balance Point provides insight into some of the common conversational stress points that occur in the boardroom, as well as strategies to get CISOs and boards to stop talking past each other and start understanding each other.
- CISOs more focused on “guidance” than “protection” – CISOs report that they spend most of their boardroom time “giving security guidance” on business enablement and loss avoidance. Surprisingly, CISOs reported that they spend far less time discussing “data protection” and “brand protection,” despite widespread coverage of how breaches affect intellectual property and trust.
- Boards want a “big picture” view of cyber risk – Board members were five times as likely to cite “risk posture” as a key security metric compared to CISOs and 13 times as likely to say the same about “peer benchmarking" – showing boardrooms’ greater concern for the “big picture.”
- Assumptions rule the world – Board members report being inundated with security data and often assume CISOs - armed with data - have things under control. One CISO was told, "We do not understand everything you are telling us, but we have a lot of confidence you are doing the right thing." This refrain underscores a lingering divide between how security teams inform boards on issues impacting the bottom line.
To explore all six balance points, and to see our recommendations for building a Cyber Balance Sheet for your organization, download the compete Cyber Balance Sheet.