Last month, I said People don’t know how to assess cyber risk.

I quoted from a McKinsey report (my highlights):

  • Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). The reports are often poorly structured, however, with inconsistent and usually too-high levels of detail.
  • Most reporting fails to convey the implications of risk levels for business Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.
  • At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”

Osterman Research published the results of a survey of board members in 2016. They concluded (my highlights):

  • 85% of board members believe that IT and security executives need to improve the way they report to the board.
  • 59% say that one or more IT security executive will lose their job as a result of failing to provide useful, actionable information.
  • 54% agree or strongly agree that reports are too technical.
  • Only 33% of IT and…

Подробнее…

Обучение для риск менеджеров