2017 Cyber Balance Sheet Report

Data is the lifeblood of the modern company, yet there is immense frustration at how risks to that information are communicated to the top. This study breaks down the walls between cybersecurity leaders and Boards of Directors by identifying “Balance Points” where their viewpoints diverge. We explore the mismatch in goals and priorities that often leaves board members skeptical even when security programs are operating at peak efficiency.

Our findings show that Board members cite brand and data protection as security’s primary responsibility, while CISOs tend to rank “security guidance” and “business enablement” higher. This report rewards the click by revealing a significant confidence gap: nearly half of Board members express something less than confidence in their program’s effectiveness, while only 13% of CISOs share that doubt. Confidence at the top is driven by consistently delivering on promises, and inadequate evidence from CISOs inevitably erodes that trust.

The study introduces the concept of a “Cyber Balance Sheet,” borrowing familiar financial terminology of assets and liabilities to bridge the communication gap. We offer practical tips for “de-teching” boardroom reporting, emphasizing story-telling over operational metrics. This report provides the framework for CISOs to move from “proving a negative” to demonstrating material value to the business.

Key Findings

• Confidence Chasm: 57% of Board members are “not confident” or “neutral” about security effectiveness, compared to only 13% of CISOs.
• Reporting Disconnect: Boards crave business-relevant reporting, while the metrics cited as most critical by Directors fall “dead last” among those tracked by CISOs.
• The Value Misalignment: Board members prioritize brand and data protection (64%+), whereas CISOs emphasize guidance and business enablement.
• The “Packets” Fallacy: Boards strongly favor outcomes over technical minutiae, with one Director stating, “Nobody cares how many packets your firewall blocked.”
• Compliance vs. Effectiveness: While external standards are the top way to assess posture, Directors view adherence as a poor proxy for actual program strength.
• Soft Skills Dominance: The top communication tips for CISOs focus on “relating to business” and “telling a story” rather than technical competence.