When it comes to reporting to the board, there are plenty of tools at the CISO’s disposal. Looking at the right metrics and putting them in the right context can help turn your next board meeting into a source of confidence, not stress. Here are some helpful tips to create successful frameworks for your board reports.
The error that many CISOs and security leaders make is that they lead with security as a technology problem. However, most board members don’t have the technical expertise to understand those reports, nor the context to understand what blocked phishing emails means to their business. CISOs need a cyber security toolkit for reporting that helps map out how to frame their report in a way that's meaningful to the board and empowers further conversation.
Instead CISOs need to reframe the conversation into one about risk, which is the language that the board understands. At the end of the day the board has a fiduciary responsibility to protect the company from loss, and understanding how cybersecurity performance or risky vendors impacts that will enable them to make smart decisions, and elevate the standing of security and risk leaders in their eyes.
The purpose of the board is to guide the business direction of the organization. Understanding that security is only a piece of that puzzle is crucial to a successful board report. When crafting your report, it can be helpful to show how your security program is aligned to the business objectives the board is trying to achieve. This will help get their attention and keep them engaged, as well as make it easier for them to understand the context in which you are discussing cybersecurity.
Most areas of the business, such as sales or marketing, will be tracking KPIs that are directly derived from the revenue or growth numbers set by the board. While security may not have the growth impact of some teams, security still has a business impact such as making business processes more efficient or facilitating digital transformation. Showing that you’re thinking about how to align your program and goals to those targets, or at least keeping them in the back of your mind, will help facilitate common communication with the board.
The single biggest responsibility of the board of directors is to protect the company and reduce risk. By pivoting your report away from a “bits and bytes” technology discussion and towards risk, and risk that is specific or material to business objectives, you can empower the board to engage in a more meaningful discussion on cybersecurity. By clearly communicating how cyberrisk will impact the business, you’re more likely to get board engagement to create the right set of priorities and engage other executives to set the right strategies.
According to recent Forrester Consulting report — Better Security And Business Outcomes With Security Performance Management3 — the most common metrics reported to the board are as follows:
But Forrester is also clear — 4 of these metrics don’t meaningfully communicate exposure or performance — they are specifically measurements of our own efforts and don’t put it into broader context. And Forrester says that CISOs should think twice about reporting them to the board.
How is your own security performance reducing risk? Helpful KPIs include:
For more ideas check out our 16 KPIs For Your Next Board Report infographic
2. Vendor RiskAs part of the board’s responsibility, they need to know if there are audit risks
The unfolding Hafnium attack is the latest event in the trend of cyber events. CISO’s are starting to recognize that enterprise cyber security is being redefined to mean me and all my suppliers, or the combination of first and third party...
As a recent Forrester report highlighted, there are many cybersecurity ratings available. Security ratings have a valuable place in your overall cyber risk mitigation strategy, for many reasons.
Not all security ratings are equal though.
You can tell a lot about someone by the company they keep, and the same goes for your security ratings partner. All security ratings are not created equal.
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469