If CISOs don't do a good job of communicating, 59 percent of board members said that the security executives stand to lose their jobs, according to a new survey released today.
"If they're not up to par in the minds of the board, there will be action taken," said Ryan Stolte, co-founder and CTO at Bay Dynamics.
It marks an inflection point in how the boards look at cybersecurity, he said.
Previously, boards looked at breaches as an act of God or natural disaster, he said, or just fired the CISO even if the breach was not something they could have prevented.
"Now they're treating it as a risk management concern," he said. "It's a mind change."
CISOs are expected to have good security processes in place, to do their due diligence, and to take care of the fundamentals. For example, according to the latest Verizon data breach report, 63 percent of breaches involved stolen credentials because enterprises still weren't making effective use of two-factor authentication.
Ryan Stolte, co-founder and CTO at Bay Dynamics
"When you get these year-in-review reports from Verizon, you see that people are getting breached with stuff that they've known about for a long time," Stolte said.
If there's a breach, CISO must be able to show that they're running an effective operation, and are following industry best practices, he said.
"If you get attacked, how did you respond? How prepared were you? Your can have a cyber breach and keep your job as long as you've been minding the ship well," he said. "With the board paying more attention to good governance, it may trickle down to us actually doing good governance. We still might get breached, but we should have a good prescription for success. Follow it, and we'll be much less likely to have a problem."
As a result of the increase in cyber attacks and the associated rise in attention from the media, industry groups and regulators, boards are becoming better educated about cybersecurity. And they expect the CISO to be able to keep the board well informed.
"If your CFO walked into a board meeting and had sloppy numbers that didn't make sense and were inconsistent, he'd be gone," said Stolte.
Now, boards are subjecting CISOs to the same kind of scrutiny.
"They're taking it very seriously, and they're expecting quality results," he said.
According to the survey, which was conducted by Osterman Research, cyber risk is now a top priority for board members, right up there with financial risk, regulatory risk, competitive risk, and legal risk.
But they expect security reports to present information that they need to make decisions. That requires the information that they need to make investments for cyber risk planning and expenditures, budget estimates, direct costs and detailed spending information.
In addition, 54 percent of board members said that the data they were getting was too technical, and 85 percent said that IT and security executives need to improve the way they report to the board.
If the reports aren't useful and actionable, 93 percent said that there would be consequences. These included termination, said 59 percent, or warnings, said 34 percent.