In a post on CBR Online, Ian Glover president of CREST, a non-profit accreditation body, argues for a new way of reporting on cyber security. Boards are responsible for managing cyber security resilience and communicating to stakeholders that appropriate controls are in place. However, most board members do not have the expertise to know the right level of cyber security for their organization. It is up to cyber security professionals to provide the board with risk reports they can understand.
The best way to find out how resilient an organization is to cyber attacks is through penetration testing, simulating inside or outside attacks and determining the effectiveness of the response. The results would form the basis of a cyber resilience opinion that stakeholders and decision makers can understand. In order to provide the same degree of confidence as financial or legal opinions, cyber resilience opinions must be provided by qualified experts who can speak the language of the boardroom.
CREST is working with industry and government bodies to set up a Cyber Security Council which will provide professional status for cyber security on the same level as accounting, law and engineering. Individual industries are setting up their own plans. A cyber security resilience opinion could be part of an organization's annual financial report or stand on its own.
As I recently posted, most cyber security professionals today have low confidence that boards understand their presentations. Increased professionalism in reporting would go a long way toward increasing the level of confidence.