Source: Forbes | Yael Grauer | June 14, 2016

Board members of large enterprise companies once viewed cyber security threats the same way they saw natural disasters: possible, but unlikely. Those days have changed.

According to a new report by cyber risk analytics company Bay Dynamics, based on the results of a nationwide survey conducted by Osterman Research, board members are taking cyber security risks seriously. So seriously, in fact, that 26 percent of those surveyed said cyber risks were their highest priority, a larger percentage than those most concerned with financial, legal, regulatory, or competitive risks. The 125 survey respondents consisted of enterprise executives who serve on the boards of directors of enterprise companies and receive reports about companies’ cyber security programs.

Failing to deliver the cyber risk information that board members want, in a way they understand, will not go unnoticed,” said Ryan Stolte, Chief Technology Officer and Co-Founder of Bay Dynamics. And there will be repercussions. 59 percent of board members surveyed said that there is a good chance that one or more IT and security executives who fail to provide useful and actionable information in their reports would lose their jobs.

Stolte believes that the new phenomenon of holding IT and security executives accountable for risk based on cyber attacks is a critical mindset change for boards that will be the ripple effect that will help organizations get cyber security threats into a controllable situation. “It’s hard to move an entire economy, but if we’ve got big boards of big companies that are very engaged and taking it seriously, they’re the ones driving what the companies do,” he said.

Bay Dynamics’ report, titled How Boards of Directors Really Feel About Cyber Security Reports, points out that The Ponemon Institute’s 2015 global analysis of the cost of data beaches states that the average total cost of a data breach is $3.79 million, a 23 percent increase over the total cost for 2013 and 2014. Board members are now looking at cyber security as a risk management problem, and trying to get a better handle on the business’ threat models: what the critical systems used to run the business are, how bad the damage would be if those systems were compromised in various ways, and what type of security measures are in place to prevent potential breaches. This will allow them to make informed investment decisions based on cyber risk metrics and their appetite for risk.

Because board members are now highly engaged (89 percent of the board members surveyed said they were very involved in making cyber risk decisions) and are beginning to realize that this is an ever-present danger that’s a real risk to their business, they are putting a lot of scrutiny on their cyber security leadership. “If your CFO walked into a board meeting and they didn’t have consistency or high quality numbers, they’d be fired on the spot. You just have that expectation. I think it’s very imp that we have that same set of standards for other parts of our business, specifically cyber,” said Stolte.

85 percent of the board members surveyed stated that IT and security executives need to improve the way they report to the board. To keep board members happy, they’ll need to provide useful, accurate, up-to-date information. It also has to be accessible: more than half of board members believe that the data they are presented with is too technical.

There appears to be a disconnect between board members who believe they understand these presentations (70 percent) and the IT and security executives that agree (around one-third), as well as some confusion between the two groups about the way data is compiled and whether the information presented is actionable. Bay Dynamics further points out that board members are often educated about risk by the same people who are measuring and reducing it, rather than following objective industry standard models.

A complementary report released by Bay Dynamics earlier this year examines where  IT and security executives are missing the communication mark.