Last month, I said People don’t know how to assess cyber risk.
I quoted from a McKinsey report (my highlights):
- Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). The reports are often poorly structured, however, with inconsistent and usually too-high levels of detail.
- Most reporting fails to convey the implications of risk levels for business Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.
- At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”
Osterman Research published the results of a survey of board members in 2016. They concluded (my highlights):
- 85% of board members believe that IT and security executives need to improve the way they report to the board.
- 59% say that one or more IT security executive will lose their job as a result of failing to provide useful, actionable information.
- 54% agree or strongly agree that reports are too technical.
- Only 33% of IT and…