To make a difference as a security professional today, you need board support. You need resources. You need directors to trust and back you. You need organizational leaders to promote security.
So whenever you have the board’s attention – or the attention of those who report back to the board – you make your case. You answer questions with utmost clarity. You hope you’ve delivered your message – and that the board won’t simply sweep cyber security under the rug.
Today, the stats suggest there’s about a 46% chance that’s exactly what they’ll do.
Why boards disregard cyber security
In March 2019, the UK government published its latest (at the time of writing) Cyber Governance Health Check. Among other things, the Check explores how FTSE350 companies are currently managing their cyber risk. The focus is largely on the board, and the Check’s findings are revealing.
As far as we know, most boards (72%) see cyber security as a top-tier risk. Yet just 46% of FTSE350 companies have a dedicated cyber security budget. And almost exactly the same proportion – 47% – believe cyber risk reporting to be incomplete.
That may or may not be a coincidence. Either way, the take-home is clear.
As security professionals, we need to improve our reports on cyber risk.
Shallow metrics don’t reveal risk
The majority of risk reports today – such as technological cyber risk reports – have a clearly defined structure. Based on frameworks, they cover things like risk appetite and risk-mitigation measures.
When it comes to human cyber risk reports, however, no such framework exists.
Typical human cyber risk reports show training completion rates. They show awareness test results. Sometimes, they show the click-rates of simulated phishing attacks. While all might be related to human cyber risk, they’re shallow metrics. They simply do not reveal human cyber risk in its totality – which encompasses security awareness, behaviors and culture.
So when 47% of boards label cyber risk reports as incomplete, can we really blame them?
It’s likely they have a point.
Better metrics for human cyber risk
To ensure boards can see and act on the true level of human cyber risk our organizations face, we need to begin tracking meaningful metrics of human cyber risk.
That’s a lot easier to say than it is to act on. But if our industry is going to continue to advance, we need to welcome the challenge.
When we track meaningful metrics of human cyber risk, we can be certain our human cyber risk is moving in the right direction.
More importantly, by monitoring meaningful metrics of human cyber risk, we can keep more people and societies safe online.