Close the Gap

Wachnik (2014) and Bergh et al. (2019) defined information asymmetry as a situation where one party has more information or details about a transaction than the other party. More simply and in the context of cybersecurity, information asymmetry is the disparity between what management knows and what the board knows (NACD, 2019).

A challenge in the information security space is the issue of a non-event. Often, cybersecurity is unobservable, nothing happened, or an element of uncertainty which is an issue because it is the exact reason board members struggle with the value of top executives, like a CISO (Bergh et al., 2019). Another challenge with information asymmetry in the boardroom is that the board must remain abreast of current risks facing the organization to make timely and sound decisions regarding risks in the environment; however, the board must be told this information since they are not involved in the daily operations (Brennan et al., 2016).

Information asymmetry may not be bad for boards and may improve the effectiveness of the board (Brennan et al., 2016). Brennan et al. (2016) called this the “information asymmetry paradox” (p. 137), whereby the board must have a gap in knowledge of the operations of the organization; otherwise, there would not be questions to ask at board meetings. To gain the correct information, board members must be more involved in their organization and seek out the information they need to serve their primary roles of providing advice and monitoring the decisions made by the highest levels of management (Brennan et al., 2016). The need to ask questions creates the independence paradox where the board depends on management for necessary information.

Frank et al. (2019) found that providing information assurances helps to reduce information asymmetry. Leveraging the assurances of others was perceived better than the information provided by management. A challenge in reducing the information asymmetry is the language used by cybersecurity experts when presenting to the executives and the board. Too often, tactical measures or metrics are used to report to the board. Fitzgerald (2018) provides guidance for reporting to the board with 39 suggestions, and not one is a technical metric. Fitzgerald (2018) specifically calls out avoiding security jargon but emphasizes business relevant language and mainly speaking in terms of money; however, that is one view.

Shayo and Lin (2019) interviewed of 36 past CISOs and 3 CEOs, four propositions were made:

1.?????CISOs that think strategically and can apply that strategic mentality by incorporating security into the operating environment are placed at a higher level in the organization.

2.?????A CISO needs to manage the perceptions of the CEO by demonstrating an understanding of the business and communicating how they will lead cybersecurity to be placed higher in the organization.

3.?????A CISO will report the CIO if they do not learn to speak the language of the business and only demonstrate technical abilities.

4.?????A CISO needs to demonstrate effective cybersecurity leadership by providing peace of mind to stakeholders and showing tangible business outcomes for cybersecurity investments to earn a seat at the table.

These four propositions support the need for a better way to communicate with executives and the board for better success for the CISO and better organizational outcomes.

Continued messaging in terms that the board recognizes and understands is imperative. The use of tactical or aggregate metrics does not matter. Instead, the messaging behind the metrics may have a more significant influence on board and executive understanding. Improving trust may be one method to achieve the goals of reducing information asymmetry and reducing affective response. The broader recommendation is to have specific conversations to discover the exact messages that resonate with the specific audience. Having conversations with stakeholders and continually building trust is imperative to building trust, reducing the information asymmetry gap, and improving decision making.?These conversations may need to be at a one-on-one level versus a full executive or board meeting. By keeping the conversations smaller, more focused questions may be possible along with teaching and explaining.

References -

Bergh, D. D., Ketchen, D. J., Orlandi, I., Heugens, P. P., & Boyd, B. K. (2019). Information asymmetry in management research: Past accomplishments and future opportunities. Journal of Management, 45(1), 122-158. https://doi.org/10.1177/0149206318798026

Brennan, N. M., Kirwan, C. E., & Redmond, J. (2016). Accountability processes in boardrooms. Accounting, Auditing & Accountability Journal, 29(1), 135-164. https://doi.org/10.1108/aaaj-10-2013-1505

Fitzgerald, T. (2018). CISO compass: Navigating cybersecurity leadership challenges with insights from pioneers. CRC Press. https://doi.org/10.1201/9780429399015

Frank, M. L., Grenier, J. H., & Pyzoha, J. S. (2019). How disclosing a prior cyberattack influences the efficacy of cybersecurity risk management reporting and independent assurance. Journal of Information Systems, 33(3), 183–200. https://doi-org.proxy1.calsouthern.edu/10.2308/isys-52374

NACD. (2019).?2019-2020 NACD Public Company Governance Survey?(SUR-092). National Association of Corporate Directors.?https://corpgov.law.harvard.edu/wp-content/uploads/2020/01/2019-2020-Public-Company-Survey.pdf

Shayo, C., & Lin, F. (2019). An exploration of the evolving reporting organizational structure for the chief information security officer (CISO) function. Journal of Computer Science and Information Technology, 7(1). https://doi.org/10.15640/jcsit.v7n1a1

Wachnik, B. (2014). Reducing information asymmetry in IT projects. Informatyka Ekonomiczna, (31), 212-222. https://doi.org/10.15611/ie.2014.1.17

——————

Follow me, tap my bell ?? on my profile Edward Marchewka

You will be notified the second I post.