Close the Gap

Close the Gap

Wachnik (2014) and Bergh et al. (2019) defined information asymmetry as a situation where one party has more information or details about a transaction than the other party. More simply and in the context of cybersecurity, information asymmetry is the disparity between what management knows and what the board knows (NACD, 2019).

A challenge in the information security space is the issue of a non-event. Often, cybersecurity is unobservable, nothing happened, or an element of uncertainty which is an issue because it is the exact reason board members struggle with the value of top executives, like a CISO (Bergh et al., 2019). Another challenge with information asymmetry in the boardroom is that the board must remain abreast of current risks facing the organization to make timely and sound decisions regarding risks in the environment; however, the board must be told this information since they are not involved in the daily operations (Brennan et al., 2016).

Information asymmetry may not be bad for boards and may improve the effectiveness of the board (Brennan et al., 2016). Brennan et al. (2016) called this the “information asymmetry paradox” (p. 137), whereby the board must have a gap in knowledge of the operations of the organization; otherwise, there would not be questions to ask at board meetings. To gain the correct information, board members must be more involved in their organization and seek out the information they need to serve their primary roles of providing advice and monitoring the decisions made by the highest levels of management (Brennan et al., 2016). The need to ask questions creates the independence paradox where the board depends on management for necessary information.

Frank et al. (2019) found that providing information assurances helps to reduce information asymmetry. Leveraging the assurances of others was perceived better than the information provided by management. A challenge in reducing the information asymmetry is the language used by cybersecurity experts when presenting to the executives and the board. Too often, tactical measures or metrics are used to report to the board. Fitzgerald (2018) provides guidance for reporting to the board with 39 suggestions, and not one is a technical metric. Fitzgerald (2018) specifically calls out avoiding security jargon but emphasizes business relevant language and mainly speaking in terms of money; however, that is one view.

Shayo and Lin (2019) interviewed of 36 past CISOs and 3 CEOs, four propositions were made:

1.?????CISOs that think strategically and can apply that strategic mentality by incorporating security into the operating environment are placed at a higher level in the organization.

2.?????A CISO needs to manage the perceptions of the CEO by demonstrating an understanding of the business and communicating how they will lead cybersecurity to be placed higher in the organization.

3.?????A CISO will report the CIO if they do not learn to speak the language of the business and only demonstrate technical abilities.

4.?????A CISO needs to demonstrate effective cybersecurity leadership by providing peace of mind to stakeholders and showing tangible business outcomes for cybersecurity investments to earn a seat at the table.

These four propositions support the need for a better way to communicate with executives and the board for better success for the CISO and better organizational outcomes.

Continued messaging in terms that the board recognizes and understands is imperative. The use of tactical or aggregate metrics does not matter. Instead, the messaging behind the metrics may have a more significant influence on board and executive understanding. Improving trust may be one method to achieve the goals of reducing information asymmetry and reducing affective response. The broader recommendation is to have specific conversations to discover the exact messages that resonate with the specific audience. Having conversations with stakeholders and continually building trust is imperative to building trust, reducing the information asymmetry gap, and improving decision making.?These conversations may need to be at a one-on-one level versus a full executive or board meeting. By keeping the conversations smaller, more focused questions may be possible along with teaching and explaining.

References -

Bergh, D. D., Ketchen, D. J., Orlandi, I., Heugens, P. P., & Boyd, B. K. (2019). Information asymmetry in management research: Past accomplishments and future opportunities. Journal of Management, 45(1), 122-158. https://doi.org/10.1177/0149206318798026

Brennan, N. M., Kirwan, C. E., & Redmond, J. (2016). Accountability processes in boardrooms. Accounting, Auditing & Accountability Journal, 29(1), 135-164. https://doi.org/10.1108/aaaj-10-2013-1505

Fitzgerald, T. (2018). CISO compass: Navigating cybersecurity leadership challenges with insights from pioneers. CRC Press. https://doi.org/10.1201/9780429399015

Frank, M. L., Grenier, J. H., & Pyzoha, J. S. (2019). How disclosing a prior cyberattack influences the efficacy of cybersecurity risk management reporting and independent assurance. Journal of Information Systems, 33(3), 183–200. https://doi-org.proxy1.calsouthern.edu/10.2308/isys-52374

NACD. (2019).?2019-2020 NACD Public Company Governance Survey?(SUR-092). National Association of Corporate Directors.?https://corpgov.law.harvard.edu/wp-content/uploads/2020/01/2019-2020-Public-Company-Survey.pdf

Shayo, C., & Lin, F. (2019). An exploration of the evolving reporting organizational structure for the chief information security officer (CISO) function. Journal of Computer Science and Information Technology, 7(1). https://doi.org/10.15640/jcsit.v7n1a1

Wachnik, B. (2014). Reducing information asymmetry in IT projects. Informatyka Ekonomiczna, (31), 212-222. https://doi.org/10.15611/ie.2014.1.17

——————

Follow me, tap my bell ?? on my profile Edward Marchewka

You will be notified the second I post.

This is great! Connections here for other industries as well.

要查看或添加评论,请登录

Edward Marchewka的更多文章

  • The Story is What Matters

    The Story is What Matters

    Several scholarly sources have stressed that better communication with the board is needed (Al-Moshaigeh et al., 2019;…

    1 条评论
  • Risk Communication: Reducing Affective Response

    Risk Communication: Reducing Affective Response

    Failure to communicate risks effectively results in executives and boards making inappropriate risk decisions (Hooper &…

  • Selecting the Right Tool

    Selecting the Right Tool

    There are some posts and books that say risk matrices are worse than useless and often cite Cox (2008) and Cox & Popken…

    2 条评论
  • 1,460 Days Later

    1,460 Days Later

    I talk often about telling a better story and telling YOUR story. So here is a little into mine.

  • Understanding Negotiation

    Understanding Negotiation

    My kids have been into The Greatest Showman lately, so I get to see it a lot. And my wife downloaded both soundtracks…

  • Aggregate

    Aggregate

    I have written several articles with an emphasis on aggregation of metrics. Presenting tactical metrics will go over…

  • Your Next Board Meeting

    Your Next Board Meeting

    It is the end of Q1-2019 for those following the calendar year. Please permit me to ask this questions, How did your…

  • You Need to Tell a Story

    You Need to Tell a Story

    We've heard this mantra over and over again on you need to tell a story but I haven't seen this broken down in a…

  • IT is in the Name

    IT is in the Name

    Information Technology at the functional level has become a commodity. People expect to come into work, sit down at…

  • The Metrics Story

    The Metrics Story

    Metrics help to tell a story and tell that story to the right audience. When I present on this topic I use an image…

社区洞察

其他会员也浏览了