As a cybersecurity practitioner, my primary responsibility is to articulate the cyber risks facing an organization and provide options to address them. Providing accurate information is critical to allow Directors and Officers (D&O) to make decisions on cyber risks and their business impacts. In short, D&O have traditionally had four primary ways to handle risk.
I have encountered a fifth method of handling risk among some of my clients: holding it through information filtering. The illustration depicts an actual flow of information for a company I recently worked with (the names have been changed). Bob, the Director of IT, is holding the risks for the organization by not articulating to the CIO the extreme findings that cybersecurity found during the latest penetration test. Consequently, the CIO shares another filtered report to Ace (board member) that the results were “not too bad”, based on his assumption that the team is working on items to mitigate risks.
In my opinion, the internal audit team should have been included with cybersecurity directly sharing the results to them without any information filtering. Audit could then follow-up on the remediation activities to ensure that risks are truly being mitigated. Unfortunately, this does not happen enough, and cyber risks are often left unaddressed.
In the Special Report on Cybersecurity, 93 percent of executives stated that they were “confident in their organization’s ability to safeguard customer data.” However, is confidence misguided due to information filtering? I believe there are a few reasons executives are more confident in their security program than those that are more closely responsible for running it.
The special report shows increased spending on internal security controls and capabilities most likely inflated executive confidence, with 53 percent of respondents stating that the likelihood of unauthorized users attempting to access data and systems is very or somewhat unlikely. Among the respondents, the following items were implemented to increase the security posture:
The executives approve funding and resources to mitigate the known risks, but in the example above, there were still unaddressed risks.
In the example, cybersecurity performed a penetration test, but the scope of the assessment was left obscured:
I frequently encounter instances of cybersecurity limiting tests due to budget constraints or removing systems that “are known to be vulnerable,” such as legacy systems or applications that are too sensitive to test (operational risk of bringing down a system/application during the testing). This skews the results, limiting the D&O’s abilities to make informed decisions.
While executive confidence may be misguided, it’s not entirely their fault. In the example, executives are acting on the information they have been provided. They believed this information was accurate and provided funding and resources to mitigate.
Reducing information filtering can be challenging and certainly happens in business functions beyond cybersecurity. Unfortunately, board members are not empowered with the information to make business decisions related to cyber risks. There are a few ways to reduce cybersecurity information filtering that I have seen to be effective:
Internal audit should be included when, if not responsible for, conducting security assessments. While they may not have the skillset or technical capabilities, the nature of internal audit allows them to have an unrestricted access to the audit board and CFO. Since they are not responsible for the security program (like the CIO), there is no conflict of interest, which may reduce the effects of information filtering.
Setting up a cybersecurity steering committee can have a tremendous impact on the visibility of risks across an organization. In the example provided, cybersecurity, CIO, internal audit along with various business members would be presented the initial penetration test report. All steering members would be briefed on the results, and a unified message crafted on how to articulate to the board. In many instances, the cyber risk appetite for the company is formulated during these meetings.
While not as common, I have worked directly with boards to assess the security of the organization. While the findings need to be presented in a concise manner, boards often find value in having full access to the information. Frankly, almost every board I have presented to has at least one fairly technical resource that takes more interest in the findings and helps craft the message to the rest of the board.
Hopefully, these solutions are valuable to helping understand some of the constraints and perceptions that people have on their cybersecurity program. If you feel like you are holding too much risk, implement a solution and see if your visibility on risks changes. I believe the results will be eye opening.
Ken Stasiak
Ken Stasiak is a principal in the security, privacy and risk practice of RSM. In that role, he is responsible for helping clients with remediation, implementation and managed services. Throughout his career, Stasiak has consulted with hundreds of companies on risk management in highly visible and regulated industries such as financial services, retail, high-tech and the energy sector.
Prior to joining RSM, Stasiak served as president, CEO and co-founder of SecureState, an information security assessment and protection consulting firm that was acquired by RSM in March 2018. Previously, he served as a manager at Arthur Anderson. He also held positions at a Big Four accounting firm, MarchFirst and Whittman-Hart.
Stasiak earned his EMBA from Northwestern University Kellogg School of Management. He holds a bachelor’s degree in accounting and an associate’s degree in computer programming from the University of Akron.
Stasiak holds various industry certifications, including CISSP, CISA, CGEIT and CISM, and has been featured on Bloomberg Businessweek, CNN, SIRIUS XM Satellite Radio, PBS, and Fox News for his expertise on information security. Ken.Stasiak@rsmus.com
Women Powering Manufacturing: Breaking Barriers
Magen Buterbaugh is the President & CEO at Greene Tweed. Listen to her insights on her ambition to be a lawyer and how her math teacher suggested she consider chemical engineering. Now with several accolades to her name including being honored as one of the 2020 Most Outstanding Engineering Alumnus of Penn State and a Board Member of National Association of Manufacturers (NAM) she has never looked back.
Get In Touch
Google news and SEO compliant, Industry Today’s state-of-the-art digital media platform offers bespoke media campaigns that target key decision makers and buyers to achieve your marketing and promotional goals.
Contribute
Showcase your brand and promote your business to our highly targeted audience. We offer detailed Google Analytics with measurable ROI to assure success. Submit your content for review by our Editorial team who will contact you to discuss the project further.
About Us
Reach Your Targeted Audience and Grow Your Business. Learn more About Industry Today.
Contact Us
© 2025 Industry today. All Rights reserved.
