How should Chief Information Security Officers (CISOs) evaluate and report on the state of their organization’s cybersecurity and its impact on the business? How should they determine which metrics to reference so that they resonate and are informative for the board?
CISOs often have to deal with a dilemma of how to effectively and impactfully communicate metrics to the board, balancing the desire to be comprehensive and clear about the impact and delivering the message in a limited time.
Identifying Areas of Focus
Before something can be measured, it’s important to gauge what it is being measured against and why. The board in its oversight role needs to determine, in partnership with the business, the level of cybersecurity risk they are willing to accept in pursuit of achieving their business objectives. By extension, the CISO’s role, in partnership with other leaders in the organization, is to keep the board informed on whether the organization’s cybersecurity risk profile is within that defined appetite by monitoring and reporting on a set of relevant indicators.
Importantly, cybersecurity metrics, often consisting of key performance indicators (KPIs) and key risk indicators (KRIs), are not “one-size-fits-all,” and defining those that are most relevant for the organization is an exercise informed by the organization’s business mix, the current and evolving threat landscape, and the effectiveness of the organization’s control environment.
To determine which metrics to focus on, consider including those that provide the board with insight into risk management in the following five areas, as further discussed in Perspectives on Security for the Board
-
What are the current threats to your organization?
-
What is the significance if one or more of those threats impact your organization?
-
What is cybersecurity leadership doing to mitigate those threats?
-
How is the CISO testing to determine whether these mitigations are working?
-
What are the risks that aren’t mitigated, but which the organization is willing to accept?
Having identified a key set of metrics that are aligned to informing responses to the risk management questions above, it’s crucial to monitor them over time for trend analysis and to provide the board with regular updates. Effective CISOs know that the answer to many of the board’s questions regarding the organization’s cybersecurity posture, operational resilience, and comparison relative to its peers, will be nuanced and typically can’t be addressed by pointing to a specific metric. Rather, a good response typically begins with some contextualization and a few examples of significant data points.
Cybersecurity-related KPIs and KRIs should be presented in a manner that ties them into the overall business risk. For impactful messaging that resonates with the board, CISOs should articulate how these metrics relate to critical business services and assets, while also indicating how those metrics are relevant in the context of emerging cybersecurity risks and the changing regulatory landscape.
The metrics should likewise inform the board’s understanding of whether the business is operating within its risk appetite and how the organization’s cyber maturity compares to its peers. Using consistent templates to track key indicators enables trend analysis and monitoring for control efficacy. Consider how to structure the information into a single pane view that sets out the risks, relevant controls, and the effectiveness of those controls as indicated through the organization’s continuous monitoring efforts. Doing so not only enables a normalized frame of reference, but also helps track progress toward identified goals.
Metrics Are Just One Part of the Puzzle
The board is interested in a thematic overview of relevant trends, and only those qualitative and quantitative cybersecurity metrics that provide insight into the “big picture” view of the organization, threat landscape, regulatory environment, and other significant indicators.
Clearly articulating the material risks for the board’s awareness, as well as any action or approvals that are being sought, will go a long way in supporting a fruitful discussion. In addition, consider ways to address certain key questions regarding the overall governance, operating model, impact to the organization’s risk profile and appetite, and regulatory compliance posture that are top of mind for boards. Proactively providing insights in these areas enables transparency and builds trust, both of which are critical components to supporting the board in being informed, engaged, and involved.
Read more Partner Perspectives from Google Cloud
