Close the Gap
Edward Marchewka
Strategic Executive ? Cybersecurity & Risk Management ? IT Strategy, Digital Transformation, and Talent Development ? Driving Innovation in Non-Profit & Private Sectors ? Dissertation Chair & Adjunct Professor
Wachnik (2014) and Bergh et al. (2019) defined information asymmetry as a situation where one party has more information or details about a transaction than the other party. More simply and in the context of cybersecurity, information asymmetry is the disparity between what management knows and what the board knows (NACD, 2019).
A challenge in the information security space is the issue of a non-event. Often, cybersecurity is unobservable, nothing happened, or an element of uncertainty which is an issue because it is the exact reason board members struggle with the value of top executives, like a CISO (Bergh et al., 2019). Another challenge with information asymmetry in the boardroom is that the board must remain abreast of current risks facing the organization to make timely and sound decisions regarding risks in the environment; however, the board must be told this information since they are not involved in the daily operations (Brennan et al., 2016).
Information asymmetry may not be bad for boards and may improve the effectiveness of the board (Brennan et al., 2016). Brennan et al. (2016) called this the “information asymmetry paradox” (p. 137), whereby the board must have a gap in knowledge of the operations of the organization; otherwise, there would not be questions to ask at board meetings. To gain the correct information, board members must be more involved in their organization and seek out the information they need to serve their primary roles of providing advice and monitoring the decisions made by the highest levels of management (Brennan et al., 2016). The need to ask questions creates the independence paradox where the board depends on management for necessary information.
Frank et al. (2019) found that providing information assurances helps to reduce information asymmetry. Leveraging the assurances of others was perceived better than the information provided by management. A challenge in reducing the information asymmetry is the language used by cybersecurity experts when presenting to the executives and the board. Too often, tactical measures or metrics are used to report to the board. Fitzgerald (2018) provides guidance for reporting to the board with 39 suggestions, and not one is a technical metric. Fitzgerald (2018) specifically calls out avoiding security jargon but emphasizes business relevant language and mainly speaking in terms of money; however, that is one view.
Shayo and Lin (2019) interviewed of 36 past CISOs and 3 CEOs, four propositions were made:
1.?????CISOs that think strategically and can apply that strategic mentality by incorporating security into the operating environment are placed at a higher level in the organization.
2.?????A CISO needs to manage the perceptions of the CEO by demonstrating an understanding of the business and communicating how they will lead cybersecurity to be placed higher in the organization.
3.?????A CISO will report the CIO if they do not learn to speak the language of the business and only demonstrate technical abilities.
4.?????A CISO needs to demonstrate effective cybersecurity leadership by providing peace of mind to stakeholders and showing tangible business outcomes for cybersecurity investments to earn a seat at the table.
These four propositions support the need for a better way to communicate with executives and the board for better success for the CISO and better organizational outcomes.
Continued messaging in terms that the board recognizes and understands is imperative. The use of tactical or aggregate metrics does not matter. Instead, the messaging behind the metrics may have a more significant influence on board and executive understanding. Improving trust may be one method to achieve the goals of reducing information asymmetry and reducing affective response. The broader recommendation is to have specific conversations to discover the exact messages that resonate with the specific audience. Having conversations with stakeholders and continually building trust is imperative to building trust, reducing the information asymmetry gap, and improving decision making.?These conversations may need to be at a one-on-one level versus a full executive or board meeting. By keeping the conversations smaller, more focused questions may be possible along with teaching and explaining.
领英推荐
References -
Bergh, D. D., Ketchen, D. J., Orlandi, I., Heugens, P. P., & Boyd, B. K. (2019). Information asymmetry in management research: Past accomplishments and future opportunities. Journal of Management, 45(1), 122-158. https://doi.org/10.1177/0149206318798026
Brennan, N. M., Kirwan, C. E., & Redmond, J. (2016). Accountability processes in boardrooms. Accounting, Auditing & Accountability Journal, 29(1), 135-164. https://doi.org/10.1108/aaaj-10-2013-1505
Fitzgerald, T. (2018). CISO compass: Navigating cybersecurity leadership challenges with insights from pioneers. CRC Press. https://doi.org/10.1201/9780429399015
Frank, M. L., Grenier, J. H., & Pyzoha, J. S. (2019). How disclosing a prior cyberattack influences the efficacy of cybersecurity risk management reporting and independent assurance. Journal of Information Systems, 33(3), 183–200. https://doi-org.proxy1.calsouthern.edu/10.2308/isys-52374
NACD. (2019).?2019-2020 NACD Public Company Governance Survey?(SUR-092). National Association of Corporate Directors.?https://corpgov.law.harvard.edu/wp-content/uploads/2020/01/2019-2020-Public-Company-Survey.pdf
Shayo, C., & Lin, F. (2019). An exploration of the evolving reporting organizational structure for the chief information security officer (CISO) function. Journal of Computer Science and Information Technology, 7(1). https://doi.org/10.15640/jcsit.v7n1a1
Wachnik, B. (2014). Reducing information asymmetry in IT projects. Informatyka Ekonomiczna, (31), 212-222. https://doi.org/10.15611/ie.2014.1.17
——————
Follow me, tap my bell ?? on my profile Edward Marchewka
You will be notified the second I post.
LCSW
2 年This is great! Connections here for other industries as well.