IT Execs Feel Board Wrath for Poor Cybersecurity Reports

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ellie Smith

June 14 — Over half of information technology and security executives, such as chief information security officers, will lose their jobs due to inadequate cybersecurity reporting, according to a Bay Dynamics report released June 14.

The report highlights the communication breakdown between IT executives and boards. Even though board members of large companies have begun to understand cybersecurity risks and are training themselves to improve their knowledge, the information provided may be too technical for some to understand, the report from the New York-based cybersecurity risk consulting company said.

For example, 97 percent of board members surveyed said they know exactly what to do or have a good idea of what to do with the cybersecurity information they are presented, but only 40 percent of IT and security executives believe the information they provide to the board is actionable, the report said.

You're Fired

Boards of major companies have added sessions to meetings about cybersecurity, and members have found ways to educate themselves on the topic, Mitchell Silber, Senior Managing Director of FTI Consulting, told Bloomberg BNA. Dealing with cybersecurity is an “evolving process” for large companies, as technology changes faster than companies can keep up with it, he said.

“In this day and age, board members realize” that cybersecurity issues “have fiscal implications,” Silber said.

Steven L. Caponi, a corporate and intellectual property partner at K&L Gates in Wilmington, Del., told Bloomberg BNA that class action data breach litigation will push boards to create in-depth cybersecurity strategies in the next two to five years, if they have not already.

With the communication discrepancy between boards and IT executives, there is room for improvement in the oft rocky relationship.

Companies must take into account the potentially substantial cost of replacing high-level IT and security officials or of investing in a stronger cybersecurity risk communication flow.

Technology Issue?

Directors may be viewing cybersecurity issues through the wrong lens.

Caponi said that boards assume cybersecurity is a technology issue, even though they should approach it as a separate security topic. This misclassification can lead to a communication breakdown with IT and security executives, he said.

“If it’s being treated as a technology problem, when the presentations are made, they're heavy with technology terminology. If you aren’t familiar with those terms, you gloss over,” Caponi said.

Board members are often focused on making information accessible within a company, but cybersecurity is about restricting access to information, he said. Directors will have to “bend the curve in the other direction” to take action on cybersecurity measures, Caponi said.

Cybersecurity Knowledge Gap

Peter Gleason, president of the National Association of Corporate Directors, told Bloomberg BNA that to combat the technology knowledge gap boards of some companies are adding members with experience in data security.

Although technology-related businesses already have board members with network security backgrounds, all companies today need to understand cybersecurity risks, Gleason said. Employees with this background may help companies adjust to the particular cybersecurity challenges they face, he said.

“Everything has to be adapted to that company and the situation that it is in,” Gleason said.

If companies don't have cybersecurity-fluent board members, the IT and security executives who report to the board must “keep them abreast” on network security risks with clear presentations, Gleason said.

Ryan Stolte, chief technology officer at Bay Dynamics, said that although companies are “headed in the right direction” in dealing with cybersecurity risks, they should set cybersecurity standards.

“Companies need an objective, industry standard model for measuring cybersecurity risks so that everyone is following the same playbook and making decisions based on the same set of requirements,” he said.

To contact the reporter on this story: Ellie Smith in Washington at

To contact the editor responsible for this story: Daniel R. Stoller at

For More Information

The Bay Dynamics June 14 report is available at