In this guide, we’ll arm you with information to help you before, during, and after your next board presentation.
When it comes to reporting to the board, there are plenty of tools at the CISO’s disposal. Looking at the right metrics and putting them in the right context can help turn your next board meeting into a source of confidence, not stress. Here are some helpful tips to create successful frameworks for your board reports.
The error that many CISOs and security leaders make is that they lead with security as a technology problem. However, most board members don’t have the technical expertise to understand those reports, nor the context to understand what blocked phishing emails means to their business. CISOs need a cyber security toolkit for reporting that helps map out how to frame their report in a way that's meaningful to the board and empowers further conversation.
Instead CISOs need to reframe the conversation into one about risk, which is the language that the board understands. At the end of the day the board has a fiduciary responsibility to protect the company from loss, and understanding how cybersecurity performance or risky vendors impacts that will enable them to make smart decisions, and elevate the standing of security and risk leaders in their eyes.
Here is a CISO's cyber security toolkit for reporting that can help you do that.
A firm grasp of the business objectives
The purpose of the board is to guide the business direction of the organization. Understanding that security is only a piece of that puzzle is crucial to a successful board report. When crafting your report, it can be helpful to show how your cyber security program is aligned to the business objectives the board is trying to achieve. This will help get their attention and keep them engaged, as well as make it easier for them to understand the context in which you are discussing cybersecurity.
Understanding the KPIs the business is tracking
Most areas of the business, such as sales or marketing, will be tracking KPIs that are directly derived from the revenue or growth numbers set by the board. While security may not have the growth impact of some teams, security still has a business impact such as making business processes more efficient or facilitating digital transformation. Showing that you’re thinking about how to align your program and goals to those targets, or at least keeping them in the back of your mind, will help facilitate common communication with the board.
Understanding which areas of cybersecurity pose a risk to those business objectives
The single biggest responsibility of the board of directors is to protect the company and reduce risk. By pivoting your report away from a “bits and bytes” technology discussion and towards risk, and risk that is specific or material to business objectives, you can empower the board to engage in a more meaningful discussion on cybersecurity. By clearly communicating how cyberrisk will impact the business, you’re more likely to get board engagement to create the right set of priorities and engage other executives to set the right strategies.
Security KPIs that demonstrate the impact of risk
According to recent Forrester Consulting report — Better Security And Business Outcomes With Security Performance Management3 — the most common metrics reported to the board are as follows:
- 50% Number of malware incidents blocked
- 50% Percentage of intrusions blocked by firewall/network security
- 45% cybersecurity ratings
- 45% Percentage of phishing/malicious emails filtered
- 40% Number of data loss prevention (DLP) incidents generated
But Forrester is also clear — 4 of these metrics don’t meaningfully communicate exposure or performance — they are specifically measurements of our own efforts and don’t put it into broader context. And Forrester says that CISOs should think twice about reporting them to the board.
Instead, include the following in your reporting cyber security toolkit:
How is your own security performance reducing risk? Helpful KPIs include:
- Reduction in patching time
- Exposure to malware
- Mean time to resolve
For more ideas check out our 16 KPIs For Your Next Board Report infographic
2. Vendor Risk
Security ratings can be helpful to quantify vendor risk
- What is the average vendor score?
- What is the score for critical vendors?
- Is it trending up or down?
- Accuracy of assessments against portfolio performance metrics
As part of the board’s responsibility, they need to know if there are audit risks
- “Are we ISO-27001-compliant?”
- “Do we have any outstanding high- risk findings open from our last audit or assessment?”
- “What percentage of the NIST framework are we implementing?”
How has your security program empowered the business? This is where it can be useful to track against the business’s larger KPIs
- Has time to onboard new vendors decreased?
- Has improved security reduced down time for digital assets?
- Is your security program making the WFH transition more efficient?