The CISO’sUltimateGuide toReportingto theBoard
Win respect, earn more budget and change the world …one security improvement at a time.
If you’re an IT security and risk executive being called to report to the board, you’re not alone. CSOs, CISOs and CIROs are increasingly required to report to CEOs and boards of directors about cybersecurity risk in the enterprise. It’s a golden opportunity for those security executives to make security champions out of the most influential leaders in the organization. Unfortunately, it’s also an opportunity often squandered.
201233%
201563%
Executives and directors reporting infosec as a top boardroom issue
22 percent of security leaders
25 percent of board audit
If you feel like you’re having a hard time getting through to your CEO and board of directors, it might be time to rethink your approach. Here are some critical ways you can improve how you communicate risk up the management chain.
93 percent of boards review IT risk assessments
93% 22% 25%brief the board of directors on cybersecurity strategy
committees in the United States say the quality of cybersecurity information they receive is good
Approach reporting with the rigor of a CFO.First thing’s first. One of the best ways you can take advantage of your audience with the board is by taking a page from the CFO playbook.
When CFOs sit down with directors, they’ll come with a financial statement in hand to give a look at what happened in the previous quarter. They’ll typically have a balance sheet that gives a point-in-time snapshot of what’s happening now — the current financial posture, as it were. And then they’ll offer a waterfall analysis to explain how things look against financial forecasts — basically a comparison of actual performance versus predicted or expected performance.
The CFO’s reporting is very regimented and disciplined and it gives the board a numerical view of where the organization has been, where it is now, where it wants to be and how well it is doing to achieve those goals.
Now, we understand that there’s a lot about security that requires qualitative explanations in addition to the quantitative ones. We get it. In accounting, the numbers will match — they have to. In security it is more complicated than that.
The point here is that for CISOs to be taken seriously by the board they at least need to try to be more quantitative. If you find some consistent measurements to follow and are disciplined about how they’re collected and analyzed, you’re far more likely to get better mindshare from the board.
10 20 30
10 20 30
High-level security strategy descriptions
Risk metrics
Security and risk posture compared to peers
Description of security technologies
Audit and compliance status
I am not regularly briefed on our security posture
Anecdotes
How do boards want cybersecurity information?
Focus on metrics quality over quantity.
At the same time, remember that numbers aren’t there to make pretty graphs on slide decks. They’re meant to tell a story. And if you choose to clutter your story with irrelevant numbers, charts and graphs, you’ll be ignored.
Many security executives take to heart the lesson that boards respect metrics-driven reports. But they make the mistake of filling their presentations with too many broad, raw numbers that offer no context or perspective for risk-based oversight.
Think for a minute. If you present a statistic such as the total number of malware attacks over the past year, how useful is that to the board? After all, is there any way for the board to know how that compares to other previous years, whether things are improving, which assets are affected, and most importantly, what impact it has on the business? It is a metric that does not provide the board members with any understanding of how well the organization is measuring risk so that they can make the right decisions.
Instead, the board would rather see a metric that measures the effectiveness of response to this body of attacks. Even better, the board wants to hear about response effectiveness specifically indexed against asset value.
Less Useful More Useful Most Useful
Total number of malware attacks
Mean time to respond over each of the past 12 months
Mean time to respond during each of the past
12 months to attacks against infrastructure containing PII or sensitive IP
Total Unpatched
Systems
Patch Latency (length of
time systems remain
unpatched), by line of
business and severity
Patch latency for mission
critical systems,
over each of the past 12
months
Total data loss
prevention violations
Probable number of sensitive
data records
that will be lost over
the coming 12 months
Cost impact of the probable
number of sensitive
data records that will be
lost over the coming 12
months
Context Matters.Remember: when reporting observations and metrics to the board, context matters.
Context could come through a baseline measurement to track progress. It could mean contextualizing with a time-based measurement to offer insight into speed and efficacy of response. Or it could mean comparing a figure against an industry benchmark to offer an idea of how well the organization is doing compared to its peers.
Most important of all, though, metrics should offer business context to the board. These leaders want prioritization rankings based on the value of assets being protected. They want analytics that forecast losses in the event of something bad happening to a particular system or batch of closely held information. They want to see numbers that demonstrate how a new security investment is reducing risk to high value assets.
Being able to make a distinction between risks to high value systems and all of the other infrastructure in your environment is critical. But it’s not easy. In order to do that, you’ll need to do the foundational work of knowing exactly what your crowned jewels are and where they’re located.
Answer These Questions To Give Context
How are our most important
assets being protected in comparison to our least important
assets?
What kind of employee and
third party vendor user behavior is
elevating our risk of getting
breached?
How does our cybersecurity strategy align
with our business objectives?
What process is in place to
identify if we are breached?
How do we measure the
effectiveness of our cybersecurity
program?
What would it cost us if the
sensitive data in our eCommerce
system was stolen?
What is each line of
business doing to manage
its own department’s
cyber risk?
By how much has that cyber risk decreased
during the past quarter?
What steps are we taking to
remediate that risky behavior?
What percentage of
our vendor users with access to our network are putting
us at risk of a compromise?
Respect The BoardRespect is a two-way street. If you don’t come to the table with a healthy respect for your directors, you’re not likely to win back that respect from them. Directors are typically smart, competent and confident people. They may not be experts in security but they do know how to steer a business away from risk and toward profit by listening to subject matter experts. However, they expect those experts to frame that advice around relevant business concerns.
In other words, you’re not going to impress a board with how smart you are by throwing technical jargon at them that will go over their heads. Quite the opposite. Instead, they’ll be frustrated that you don’t understand their concerns. They’ll hammer you with questions about what those technical points actually mean for the business. And once you eventually speak the language they understand — the language of business risk — they’ll wonder why you didn’t start there in the first place.
Similarly, transparency and honesty are the currency of a respectful relationship. Are you thinking about holding back certain data or maybe changing a baseline start date to make performance look a little better? Just stop. That kind of dishonesty will eventually be discovered and it will not only undermine your credibility, but could cost you your job.
In the same vein, if you have metrics that are based on incomplete data sets, that’s OK as long as you’re transparent about what you don’t know. Let the board know where the blind spots are and help them decide if further investment or work is needed to clear them up.
60
40
20
64 percent of boards look for risk and cybersecurity experience
from new directors
Develop a reproducible processA large number of security executives today take a point-in-time approach to reporting to the board. They might ask their reports for status updates on very specific security metrics and manually compile them into a spreadsheet. They toss those numbers into some slides and then give their presentation. If they survive that ordeal, they take a deep breath, put the spreadsheet away and come back to do the same thing three to six months later.
The problem is that those reports are disconnected from how you are actually combatting cyber risks every single day. It’s a continuous process that , you should be telling board members, so they can track progress from period to period. To reliably do that, you’re going to need a better process for gathering metrics and observations.
Ultimately, you’re seeking the most elegant way to show the real state of affairs in cyber security risk. As a security expert, your role is to be a risk leader who is tasked with presenting the most accurate and complete information possible so that the board understands its risk posture, can make decisions and has a yardstick to measure whether it’s getting better over time.
50 percent of senior IT
professionals don’t have procedures in place to measure
their existing security
programs
5 Keys to ReliableReporting Metrics
TRUSTWORTHY Metrics are based on attributes that
aren’t unduly affected by
personal bias or which can be
gamed by those being reported on.
TRACEABLEThe process for collecting and parsing data
is transparent and easy to understand.
AUTOMATEDThe means of collection is reproducible
and, preferably, automated to ensure precise measurements
over time.
DEFINABLE There’s a
standardized method for
collecting data presented to the
board.
CONTINUOUSData is collected in as near to real time
as possible.
For more information, please visitwww.baydynamics.com
www.twitter.com/BAYDYNAMICS
www.linkedin.com/company/bay-dynamics/
www.facebook.com/bay.dynamics
Top Related