Trust or verify
Reporting to the board of directors provides key insight on business-critical areas like sales, financial performance, regulatory compliance and human resources to allow them to make strategic decisions for the business. Surprisingly, an area that’s often overlooked when providing these reports is cyber risk.
It’s surprising because IT is a critical function of every modern business. Cyber risks are on the rise, and can affect any business. It’s estimated an attack attempt takes place somewhere in the world every 39 seconds.
As such, it seems a grievous oversight that in the majority of cases, there isn’t more structure and visibility in place for business IT reporting.
The Role of the IT Department
Different companies organize their IT departments in different ways. An IT team can be in-house, outsourced to a managed services provider, or a hybrid arrangement. The services IT providers and teams can cover is a broad range, including:
Company infrastructure management.
Application deployment & support.
Backup solutions and cloud storage.
Network and cybersecurity.
Email and internal communication services.
Remote IT support.
Software provision (including Software as a Service).
Hardware installation and maintenance.
Workloads and pressures on IT departments are immense. These teams are responsible for keeping up to date with new trends and developments in technology, and new digital initiatives, as well as being prepared for the latest cyber threats, and establishing ways to mitigate these, and protect the business they’re working for.
The people making up these teams are only human, and not infallible! As a result, businesses become exposed and vulnerable to security risks.
The Problem with Board Reports
There are, of course, some companies that request frequent reports to the board from the company’s IT providers or department. The issue is, there’s often a disconnect with the information presented, and how this is relayed to the board.
Frequently reported issues include:
Insufficient information.
Reports full of jargon technical terms that make it difficult for the board to understand.
Implications or risks not being detailed or explained.
Outsourced IT providers providing no meaningful management information on the services being provided to the organization.
It’s also common for business leaders to admit that they quite simply trust their IT department, regardless of whether the team is internal or external. There is absolutely no verification involved. This has far-reaching implications for businesses.
The importance of reporting
Business leaders are often unaware of the effectiveness of services being provided, and any gaps in these services, or issues or requirements to resolve. Even more worryingly, they remain blissfully unaware of the extent of potential cyber threats, and the areas and individuals within their business that are most vulnerable.
In addition, educating the board has become critical as a result of new regulation, The Securities and Exchange Commission (SEC) has proposed new rules for disclosing cyber incidents and practices in cyber governance, strategy, and risk management.
Therefore, it’s imperative that there’s a structured reporting schedule in place. Leaders need to be kept in the loop with any IT-related issues that could potentially have an impact on the business. This needs to be built into reporting policies and processes, and in the case of external service providers, ideally built into any Service Agreements.
Verify, don’t trust
We have always (and will continue to) strongly encourage full transparency and accountability around all IT services, in order to best protect your business.
Remember - verify, don’t trust!
If you are unsure of where to start and would like some advice on how to build a comprehensive reporting strategy that gives you full oversight into your company’s cyber risks, we can help. Get in touch here for a chat to discuss your situation and needs.