- June 13, 2014
Few topics squeeze out more angst for company board members than two words: data breach.
The list of giant businesses to suffer that fate includes Home Depot, Target and Fort Myers-based 21st Century Oncology, among others. Yet even with all the publicity, a wide gulf remains in how board members learn about data breaches, deal with them and help their companies recover, according to a new survey.
The survey, the Cyber Balance Sheet Report, is from Tampa-based Focal Point Data Risk LLC, a cybersecurity and data risk management firm formerly named Sunera. The Cyentia Institute, a Virginia cybersecurity research services firm, is the lead independent researcher on the report. Both entities say the survey, which includes interviews with scores of board members, chief information security officers and industry experts, is the first of its kind in the field.
“For years pundits have been saying 'cyber needs to be a boardroom issue,' but the Cyber Balance Sheet Report replaces this sound bite with the most illuminating look yet at where cyber issues are making headway with boards or falling off the table,” says Focal Point CEO Yong-Gon Chon. “There is a jargon of cybersecurity, and that's not the jargon of business.”
Chon says a big goal of the report, and a summit Focal Point hosted in New York City in January, is to get board members and cybersecurity leaders to communicate better. “People are focused on the wrong things,” he says. “People need to focus not on getting a data breach because breaches are a fact of life today. People need to focus on negating the impact of a breach.”
The core of the issue, according to survey interviews, is many chief cybersecurity officers “consider interacting with the board to be the toughest part of their job.” The feeling is somewhat mutual. A board member is quoted in the report saying “security has a seat at the table, but has nothing to say. We're listening, but security mumbles.”
Another inconsistency between board members and security officers is in ways to express risk. Board members' No. 1 preference, the report shows, is to “tell me a story: describe the problems and how we're solving them (or not.)” Their least preferred method is to “bring up your grades: develop a scoring approach and work to improve over time.”
Chief cybersecurity officers, the report states, flip the answers. They prefer to bring up the grades, something tangible, and last on their list is to tell a story.
One way to get both sides together, concludes the report, is through creating a cyber balance sheet — a statement of cyber assets, liabilities and capabilities within a company. “Quantifying cyber risk,” states the report, “requires a level of shared language and risk principles.”
The extensive project was a mid-six-figure investment for Focal Point, says Chon. In addition to the subject matter, Chon says the report, and the publicity he hopes it will generate, is a good branding move coming off the company's recent name change. “We wanted to blaze a trail with this,” Chon says. “This was the right way to present this data.”
The Cyber Balance Sheet report offers several tips for cybersecurity officials to communicate better with corporate board members. Tips include:
• relate to the business and avoid jargon;
• build security awareness, but avoid hype;
• be credible and candid;
• provide pointed evidence;
• know your audience;
• keep it simple, and interesting;
• show the plan and progress;
• don't re-create the wheel.