Wider breach awareness fosters more security conversations, yet commonly used board metrics and reporting formats make identifying and managing risk appetite difficult
TAMPA, FL – October 30, 2018 – Focal Point Data Risk, an integrated risk management firm, today announced the release of the second annual Cyber Balance Sheet Report, a closely watched research study using in-depth surveys and interviews of corporate board members and chief information security officers (CISOs) to offer a rare window on the state of cyber risk management in the boardroom. The Report is independently produced by the Cyentia Institute, a cybersecurity research firm, co-founded by Dr. Wade Baker, widely known for creating the landmark Verizon Data Breach Investigations Report (DBIR).
This year’s Cyber Balance Sheet Report findings reveal a complex risk management sequel to the inaugural 2017 edition, which tracked cyber risk as an escalating oversight issue among boards. The 2018 report reveals that wider awareness of risks - including third-party data breaches, ransomware and geopolitical conflicts - spurs more security dialogue in the boardroom. However, C-Suite and security leaders struggle to frame risk in productive decision-making terms and keep an eye on whether companies are operating within their proper risk appetite.
“This year’s Cyber Balance Sheet Report dispels the ‘cyber is a boardroom issue’ cliché by showing that not only have board members already received the cyber risk message loud and clear, they are actively initiating more discussion about breaches and threats that could upend their organizations,” said Andrew Cannata, Focal Point’s CISO and national Cyber Security Practice leader. “The more important issue uncovered by the research is that this surge of interest – while commendable – seldom resolves executives’ two most important questions: ‘What is our risk appetite?’ and ‘Are we operating in or out of this comfort zone?’ When these questions are buried or unanswered, it becomes a recipe for miscalculation and false assurances. Helpfully, security teams and business leaders can use the report’s anecdotes and data to revisit how they frame risk management with leadership.”
The Report organizes CISO and executive insights along seven key “balance points” that reveal key differences on issues, including how boards view cybersecurity as a unique risk or extension of other hazards, different metrics and reporting structures boards and CISOs use in briefings, varying approaches to identifying risk appetite and exposure and what board members say instills satisfaction and confidence in security programs.
Key insights include:
“This latest report shines a light on remarkable progress and stakes surrounding how boards and security teams interface and support one another,” added Baker, the lead Cyber Balance Sheet Report researcher. “The data show cyber risk is still an emerging area for boards with more experience facing other existential threats. However, there is wider recognition that IT is a risk vector for everything that keeps leaders up at night, from regulatory issues and protecting trade secrets to reputational matters and avoiding lawsuits. The report shows we are crossing a key threshold where boards realize that requesting metrics and asking more security questions only helps to a point. The new premium is on each board, C-Suite and security team determining the most important issues for them to productively set their risk appetite course and navigate appropriately.”
The complete Cyber Balance Sheet Report is available for download here https://go.focal-point.com/cyber-balance-sheet-report.
Follow Focal Point Data Risk
About Focal Point Data Risk
Focal Point Data Risk is an integrated risk management firm delivering a unified approach to addressing data risk through a unique combination of service offerings. Focal Point brings together industry-leading expertise in cybersecurity, identity governance and access management, data privacy, analytics, internal audit, and hands-on training services - giving clients everything they need to plan and develop effective risk and security programs. By integrating these services, we provide the resources necessary for protecting and using data across entire organizations. Simply put, Focal Point is the next generation of risk management.