May 17 2022

How Should Cybersecurity Leaders Report on Their Progress?

It’s not enough to say “We didn’t get hacked.” They must clearly communicate the business benefits of the actions they take.

It has taken years since the role of CISO was created in 1994 in response to cyberattacks targeting a major bank for security to play a part in corporate decision-making. Despite managing an ever-increasing list of responsibilities — cyber risk, data loss, fraud prevention, identity and access management, investigations, forensics and more — the CISO often reported to another C-level executive and was rarely involved in business strategy.

Today, however, organizations understand that the security function protects not only technology but also the lifeblood of the organization: data, identities, intellectual property and business processes. This deeper understanding of security’s role has led to increased access to the board, closer participation in business discussions, and responsibility for reporting on the state of security.

The big problem with such reporting is that the head of security often speaks a different language than the board. Tech-centric jargon, the number of vulnerabilities and patches, or mean-time-to-response metrics can leave business leaders shaking their heads or tuning out. Comparisons to proven models, such as those produced by the National Institute of Standards and Technology and the International Organization for Standardization, don’t make sense without lengthy contextual discussions, but the amount time for a board presentation is generally limited.

The security metrics discussion must necessarily bridge the gap between the complex world of security and the revenue and business outcome mindset of the audience.

Click the banner below to unlock exclusive cloud content when you register as an Insider. 

Start with the Big Five

Security metrics reported to the board need to be clear, actionable and impactful. In other words, they must be aligned with business goals and stated in terms that are immediately understandable. Here are five business areas that a CISO should consider when building out metrics-based reporting for a board of directors and other business leaders:

  1. A breach’s impact on sales or operations: CISOs can base this metric on publicly acknowledged, real-world incidents that have affected companies similar in size and revenue, such as a data-loss scenario where customer data is sold on the dark web or a malicious insider steals and sells a company’s intellectual property.
  1. Regulatory consequences of security failures: What kind of fines might be levied against a company if security and privacy compliance mandates are not met, in light of current and upcoming regulations? Remember, regulations are continuously evolving, and in the modern world they are international.
  1. Customer losses after a security lapse: Perhaps the greatest risk to a business is the potential loss of customers in the wake of a breach. To communicate such a risk, a CISO can build realistic scenarios, such as a ransomware attack that shuts down the finance department.
  1. Improvements to risk mitigation: This requires reporting on well-researched defensive systems that balance ROI and business goals, and information on how the company compares with its peers.
  1. The incident response plan: What remediation measures are in place, and what measures are planned, in the event of a security incident that impacts critical data and systems? The focus here should be on the most likely types of incidents, based on the CISO’s knowledge of emerging security risks, and how to repair not only direct damage but also reputational damage.

These metrics will demonstrate where and how well the program is working by articulating how much revenue is being protected, how security initiatives improve efficiency and productivity, and where the gaps lie.

Tie Metrics to Company Goals

Each of these metrics must be based on a clear understanding of the company’s goals. To gain this level of awareness, CISOs should work with senior management and business unit heads to learn which systems, data and assets would have the biggest impact if compromised.

The practice of discussing cybersecurity threats and their potential impact can build rapport with various business teams while also providing a broader understanding of the issues and uncovering potential solutions. In addition, when the security team communicates with colleagues who generate revenue, especially the sales and marketing teams, admins gain a deeper understanding of what drives revenue, which can help them better identify sensitive data. This exercise can also give insight into what would happen, in terms of revenue, if that data were to be compromised or made unavailable.

MORE FROM BIZTECH: Learn how innovative tech can help drive business outcomes.

A business impact analysis is a vital tool for revealing high-priority assets, their overall value, and the current amount of protection for each. It can help prioritize incident response for various assets and help the CISO identify how security programs contribute to the company’s revenue. Such an analysis can be especially helpful for CISOs who have come up through the technical side of the business and may have a lower comfort level with business issues.

A clear understanding of corporate goals and paths to revenue can clarify how implementing the security strategy will help the organization and its employees in accomplishing their goals. Researching threats the organization will likely face in the coming months can identify where gaps in security lie. The CISO can then discuss the most important threats and describe what it will take to close them.

With these steps, the CISO can move beyond being simply the provider of compliance checks to become a true business enabler. By taking a business-first approach, security can serve as a bridge between the board and the IT and security team. A focus on the most critical measurements — understandable, actionable and impactful — will lead to clear communication of the current and desired security posture in terms that the audience understands instinctively. What better way to advocate for funding where it is really needed?

Mark Airs/Ikon Images

aaa 1

Register