Chief information security officers (CISOs) may have hundreds of cybersecurity metrics to manage, but only a fraction of those will be relevant to the board and C-suite. A good CISO has to distill data into an easy-to-understand dashboard and communicate risk to a board that doesn’t want complex technical details.
With data coming from many directions and leadership expecting the CISO to make sense of it all, choosing metrics that are aligned with organizational goals is essential. Here are some ways to select the cybersecurity metrics that will matter most to the board.
“CISOs should speak to cybersecurity risk as a strategic business opportunity, instead of making it all about operational risk.”
• Focus on the data that drives decisions Don’t track metrics simply for the sake of tracking metrics. If a metric isn’t enabling business decisions or influencing behavior, don’t waste your time on it.
• Establish a baseline of what is a low, medium, and high risk Despite cybersecurity risk frameworks like NIST, there is little standardization in information security. Based on your organization’s policies and risk appetite, you can set up a baseline and thresholds to help you prioritize risks (and easily articulate them in the boardroom). We dive deeper into cybersecurity risk management in our eBook, CISOs in the boardroom.
• Organize metrics by departments From governance to security ops, separating data this way can actually bring the organization closer together. When you get buy-in from leaders and managers and have more eyes on the data, you end up with powerful insights.
• Look at the speed of risk reduction It’s important to go beyond basic “count” metrics. For example, rather than reporting the number of critical vulnerabilities, focus on the number that are still open after 60 days.
• Use the right technology Can you merge data from different tools—not just security and GRC tools, but ERP systems? It’s essential that your tech solution is able to process data through an analytics engine, put it on a schedule, and create storyboards. Learn how you can effectively manage security operations with our centralized cybersecurity management solution.
• Be prepared to compare The board will often want to know how your organization’s security posture stacks up against the competition. Using a tool like BitSight Security Ratings, you can see (and share) the security score of your organization, competitors, and the industry overall.
Presenting cybersecurity risks to the board
CISOs should speak to cybersecurity risk as a strategic business opportunity, instead of making it all about operational risk. Similarly, metrics should be actionable and aligned with the organization’s objectives. Metrics aren’t just numbers. They’re a chance to tell a story about your organization’s past, present, and future, so make it an interesting and valuable one for your audience.