The CISO’sUltimateGuide toReportingto theBoard

Win respect, earn more budget and change the world …one security improvement at a time.

If you’re an IT security and risk executive being called to report to the board, you’re not alone. CSOs, CISOs and CIROs are increasingly required to report to CEOs and boards of directors about cybersecurity risk in the enterprise. It’s a golden opportunity for those security executives to make security champions out of the most influential leaders in the organization. Unfortunately, it’s also an opportunity often squandered.

201233%

201563%

Executives and directors reporting infosec as a top boardroom issue

22 percent of security leaders

25 percent of board audit

If you feel like you’re having a hard time getting through to your CEO and board of directors, it might be time to rethink your approach. Here are some critical ways you can improve how you communicate risk up the management chain.

93 percent of boards review IT risk assessments

93% 22% 25%brief the board of directors on cybersecurity strategy

committees in the United States say the quality of cybersecurity information they receive is good

Approach reporting with the rigor of a CFO.First thing’s first. One of the best ways you can take advantage of your audience with the board is by taking a page from the CFO playbook.

When CFOs sit down with directors, they’ll come with a financial statement in hand to give a look at what happened in the previous quarter. They’ll typically have a balance sheet that gives a point-in-time snapshot of what’s happening now — the current financial posture, as it were. And then they’ll offer a waterfall analysis to explain how things look against financial forecasts — basically a comparison of actual performance versus predicted or expected performance.

The CFO’s reporting is very regimented and disciplined and it gives the board a numerical view of where the organization has been, where it is now, where it wants to be and how well it is doing to achieve those goals.

Now, we understand that there’s a lot about security that requires qualitative explanations in addition to the quantitative ones. We get it. In accounting, the numbers will match — they have to. In security it is more complicated than that.

The point here is that for CISOs to be taken seriously by the board they at least need to try to be more quantitative. If you find some consistent measurements to follow and are disciplined about how they’re collected and analyzed, you’re far more likely to get better mindshare from the board.

10 20 30

10 20 30

High-level security strategy descriptions

Risk metrics

Security and risk posture compared to peers

Description of security technologies

Audit and compliance status

I am not regularly briefed on our security posture

Anecdotes

How do boards want cybersecurity information?

Focus on metrics quality over quantity.

At the same time, remember that numbers aren’t there to make pretty graphs on slide decks. They’re meant to tell a story. And if you choose to clutter your story with irrelevant numbers, charts and graphs, you’ll be ignored.

Many security executives take to heart the lesson that boards respect metrics-driven reports. But they make the mistake of filling their presentations with too many broad, raw numbers that offer no context or perspective for risk-based oversight.

Think for a minute. If you present a statistic such as the total number of malware attacks over the past year, how useful is that to the board? After all, is there any way for the board to know how that compares to other previous years, whether things are improving, which assets are affected, and most importantly, what impact it has on the business? It is a metric that does not provide the board members with any understanding of how well the organization is measuring risk so that they can make the right decisions.

Instead, the board would rather see a metric that measures the effectiveness of response to this body of attacks. Even better, the board wants to hear about response effectiveness specifically indexed against asset value.

Less Useful More Useful Most Useful

Total number of malware attacks

Mean time to respond over each of the past 12 months

Mean time to respond during each of the past

12 months to attacks against infrastructure containing PII or sensitive IP

Total Unpatched

Systems

Patch Latency (length of

time systems remain

unpatched), by line of

business and severity

Patch latency for mission

critical systems,

over each of the past 12

months

Total data loss

prevention violations

Probable number of sensitive

data records

that will be lost over

the coming 12 months

Cost impact of the probable

number of sensitive

data records that will be

lost over the coming 12

months

Context Matters.Remember: when reporting observations and metrics to the board, context matters.

Context could come through a baseline measurement to track progress. It could mean contextualizing with a time-based measurement to offer insight into speed and efficacy of response. Or it could mean comparing a figure against an industry benchmark to offer an idea of how well the organization is doing compared to its peers.

Most important of all, though, metrics should offer business context to the board. These leaders want prioritization rankings based on the value of assets being protected. They want analytics that forecast losses in the event of something bad happening to a particular system or batch of closely held information. They want to see numbers that demonstrate how a new security investment is reducing risk to high value assets.

Being able to make a distinction between risks to high value systems and all of the other infrastructure in your environment is critical. But it’s not easy. In order to do that, you’ll need to do the foundational work of knowing exactly what your crowned jewels are and where they’re located.

Answer These Questions To Give Context

How are our most important

assets being protected in comparison to our least important

assets?

What kind of employee and

third party vendor user behavior is

elevating our risk of getting

breached?

How does our cybersecurity strategy align

with our business objectives?

What process is in place to

identify if we are breached?

How do we measure the

effectiveness of our cybersecurity

program?

What would it cost us if the

sensitive data in our eCommerce

system was stolen?

What is each line of

business doing to manage

its own department’s

cyber risk?

By how much has that cyber risk decreased

during the past quarter?

What steps are we taking to

remediate that risky behavior?

What percentage of

our vendor users with access to our network are putting

us at risk of a compromise?

Respect The BoardRespect is a two-way street. If you don’t come to the table with a healthy respect for your directors, you’re not likely to win back that respect from them. Directors are typically smart, competent and confident people. They may not be experts in security but they do know how to steer a business away from risk and toward profit by listening to subject matter experts. However, they expect those experts to frame that advice around relevant business concerns.

In other words, you’re not going to impress a board with how smart you are by throwing technical jargon at them that will go over their heads. Quite the opposite. Instead, they’ll be frustrated that you don’t understand their concerns. They’ll hammer you with questions about what those technical points actually mean for the business. And once you eventually speak the language they understand — the language of business risk — they’ll wonder why you didn’t start there in the first place.

Similarly, transparency and honesty are the currency of a respectful relationship. Are you thinking about holding back certain data or maybe changing a baseline start date to make performance look a little better? Just stop. That kind of dishonesty will eventually be discovered and it will not only undermine your credibility, but could cost you your job.

In the same vein, if you have metrics that are based on incomplete data sets, that’s OK as long as you’re transparent about what you don’t know. Let the board know where the blind spots are and help them decide if further investment or work is needed to clear them up.

60

40

20

64 percent of boards look for risk and cybersecurity experience

from new directors

Develop a reproducible processA large number of security executives today take a point-in-time approach to reporting to the board. They might ask their reports for status updates on very specific security metrics and manually compile them into a spreadsheet. They toss those numbers into some slides and then give their presentation. If they survive that ordeal, they take a deep breath, put the spreadsheet away and come back to do the same thing three to six months later.

The problem is that those reports are disconnected from how you are actually combatting cyber risks every single day. It’s a continuous process that , you should be telling board members, so they can track progress from period to period. To reliably do that, you’re going to need a better process for gathering metrics and observations.

Ultimately, you’re seeking the most elegant way to show the real state of affairs in cyber security risk. As a security expert, your role is to be a risk leader who is tasked with presenting the most accurate and complete information possible so that the board understands its risk posture, can make decisions and has a yardstick to measure whether it’s getting better over time.

50 percent of senior IT

professionals don’t have procedures in place to measure

their existing security

programs

5 Keys to ReliableReporting Metrics

TRUSTWORTHY Metrics are based on attributes that

aren’t unduly affected by

personal bias or which can be

gamed by those being reported on.

TRACEABLEThe process for collecting and parsing data

is transparent and easy to understand.

AUTOMATEDThe means of collection is reproducible

and, preferably, automated to ensure precise measurements

over time.

DEFINABLE There’s a

standardized method for

collecting data presented to the

board.

CONTINUOUSData is collected in as near to real time

as possible.

For more information, please visitwww.baydynamics.com

www.twitter.com/BAYDYNAMICS

www.linkedin.com/company/bay-dynamics/

www.facebook.com/bay.dynamics