The Board and Security: Automation can bridge communication gaps

Ask any marriage counselor what characterizes a relationship in stormy waters, and two of the most common problems they’ll report are a lack of communication and/or miscommunication.

These same issues were recently highlighted in two research reports published by Osterman Research (sponsored by Bay Dynamics), which examined how organizations reported IT security incidents and issues internally, collecting opinions from both sides of the table.  While the Reporting to the Board: Why CISOs and the Board are Missing the Mark’, surveyed security managers to obtain their views on reporting security incidents, the ‘How Boards of Directors Really Feel About Cybersecurity ’ polled board members to assess their perception of the reports they received from security teams – and they revealed a telling disconnect.

A relationship in stormy waters

For example, while only 40% of security managers reported that they provided the board with reports that contained actionable information, the overwhelming majority (97%) of board members said that they knew what to do with the information security managers provided them with. Furthermore, only 33% of security managers believe that the board comprehends the cyber-security information contained in reports, while 70% of boards believed they understood everything that was reported to them! As a result of these differences, the reports concluded, security executives are prone to telling senior managers ‘what they want to hear’, while 59% of board members reported they would respond to such practices by terminating the employment of a security manager for failing to provide meaningful information.

A breakdown in communication

One of the few points of agreement between security managers and the board was that the language used in the reports made effective communication challenging. 75% of IT and security executives and 66% of board members said that they felt the board would benefit from reports that didn’t require them to be cyber-security experts in order to understand them. Moreover the boards expressed a preference for qualitative information over quantitative in order to make effective business decisions. But is the board getting this qualitative information? The Osterman reports says is probably not.

The reason, as we have previously blogged, is that most IT security teams are short-staffed and overstretched and therefore focus on ‘keeping the lights on’ activities. Reporting often falls to the bottom of the priority list.

Moreover, today, reports on the company’s security status are still mostly compiled manually – which is both resource-intensive and prone to errors – although just under half of the IT and security staff surveyed by Osterman did use some type of automated business intelligence system to enhance their manual spreadsheets.

Calming the waters with automation

By moving towards greater automation of security policy management, enterprises can solve many of the communication issues between boards and IT security teams highlighted in the Osterman Research reports.

Intelligent automation reduces IT teams’ reliance on manual reporting and increases accuracy. It also establishes a clear, consistent and unified language and format for IT security reporting – one that is standardized across the organization even as IT personnel come and go. And by using security management automation tools to collate key data on risks and vulnerabilities and tie them to business processes, security executives can easily provide the qualitative information that the board needs in order to prioritize their security strategies and drive their organizations forward.