Reporting Cyber Risk to Board of Directors

["STURGIS, JOHN" <JSTURGIS () MAILBOX SC EDU>]

Good afternoon, everyone!

The folks over at Cyentia Institute<https://www.cyentia.com/> are gathering info for their second edition of the Cyber 
Balance Sheet report (last year’s is available 
here<https://cyentia.com/wp-content/uploads/Cyber-Balance-Sheet-Report-2017.pdf>), and I’m sure they would greatly 
value the input from higher ed security professionals.

Key points:

  *   Final report is available to all for free,
  *   The writers are some of the minds behind the Verizon DBIR,
  *   In my opinion, higher ed is underreported in this domain, much to our detriment.

The research questions they intend to answer (taken from their call for participation 
here<https://cyentia.com/2018/01/16/call-participation-2018-cyber-balance-sheet/>):

  1.  What information is typically reported to the board? How is it formatted, contextualized, and presented?
  2.  What information is viewed most favorably by Boards and other corporate executives? Can any be shown to increase 
trust?
  3.  Do reported metrics and/or Board responses to them vary across different types of organizations and board members?
  4.  If so, can a set of guidelines be created such that Board-level reporting is optimized for the organization and 
audience?

If you’re willing to contribute your time and knowledge, you can access the survey 
here<https://www.surveygizmo.com/s3/4254658/cyber-balance-sheet>.

Thanks for your time, and have a great day!

John P. Sturgis - Security Program Consultant

University Information Security Office
University of South Carolina
sturgis () sc edu<mailto:sturgis () sc edu>