Start with the Big Five
Security metrics reported to the board need to be clear, actionable and impactful. In other words, they must be aligned with business goals and stated in terms that are immediately understandable. Here are five business areas that a CISO should consider when building out metrics-based reporting for a board of directors and other business leaders:
- A breach’s impact on sales or operations: CISOs can base this metric on publicly acknowledged, real-world incidents that have affected companies similar in size and revenue, such as a data-loss scenario where customer data is sold on the dark web or a malicious insider steals and sells a company’s intellectual property.
- Regulatory consequences of security failures: What kind of fines might be levied against a company if security and privacy compliance mandates are not met, in light of current and upcoming regulations? Remember, regulations are continuously evolving, and in the modern world they are international.
- Customer losses after a security lapse: Perhaps the greatest risk to a business is the potential loss of customers in the wake of a breach. To communicate such a risk, a CISO can build realistic scenarios, such as a ransomware attack that shuts down the finance department.
- Improvements to risk mitigation: This requires reporting on well-researched defensive systems that balance ROI and business goals, and information on how the company compares with its peers.
- The incident response plan: What remediation measures are in place, and what measures are planned, in the event of a security incident that impacts critical data and systems? The focus here should be on the most likely types of incidents, based on the CISO’s knowledge of emerging security risks, and how to repair not only direct damage but also reputational damage.
These metrics will demonstrate where and how well the program is working by articulating how much revenue is being protected, how security initiatives improve efficiency and productivity, and where the gaps lie.
Tie Metrics to Company Goals
Each of these metrics must be based on a clear understanding of the company’s goals. To gain this level of awareness, CISOs should work with senior management and business unit heads to learn which systems, data and assets would have the biggest impact if compromised.
The practice of discussing cybersecurity threats and their potential impact can build rapport with various business teams while also providing a broader understanding of the issues and uncovering potential solutions. In addition, when the security team communicates with colleagues who generate revenue, especially the sales and marketing teams, admins gain a deeper understanding of what drives revenue, which can help them better identify sensitive data. This exercise can also give insight into what would happen, in terms of revenue, if that data were to be compromised or made unavailable.
A business impact analysis is a vital tool for revealing high-priority assets, their overall value, and the current amount of protection for each. It can help prioritize incident response for various assets and help the CISO identify how security programs contribute to the company’s revenue. Such an analysis can be especially helpful for CISOs who have come up through the technical side of the business and may have a lower comfort level with business issues.
A clear understanding of corporate goals and paths to revenue can clarify how implementing the security strategy will help the organization and its employees in accomplishing their goals. Researching threats the organization will likely face in the coming months can identify where gaps in security lie. The CISO can then discuss the most important threats and describe what it will take to close them.
With these steps, the CISO can move beyond being simply the provider of compliance checks to become a true business enabler. By taking a business-first approach, security can serve as a bridge between the board and the IT and security team. A focus on the most critical measurements — understandable, actionable and impactful — will lead to clear communication of the current and desired security posture in terms that the audience understands instinctively. What better way to advocate for funding where it is really needed?