It’s important to make sure that your report is tailored to the real world business outcomes the board will care about. Download this guide to learn best practices and tips for reporting cybersecurity to the board.
Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a year as a “check the box” exercise to maintain compliance with regulations. Overall, however, cybersecurity analytics didn’t really garner much attention.
That changed in 2020. In the wake of the pandemic, cybersecurity incidents rose and became more sophisticated with phishing campaigns and ransomware attacks becoming more prevalent. Industries like healthcare and scientific research were particularly hard hit, but no sector was spared. The year culminated in the exposure of the SolarWinds breach, possibly the largest and most consequential third-party breach ever.
The rise in threats made executives take more notice of the way their organizations are using cybersecurity analytics to mitigate risk and reduce threats to their businesses. A recent survey by PwC shows that 96% of executives have shifted their cybersecurity strategy due to COVID-19, indicating a new seriousness about cybersecurity among the C-suite. That same survey discovered that 55% of respondents lack confidence their cybersecurity spending is allocated towards the most significant risks. This is in line with Gartner research indicating boards are asking for increased data and accountability into what their significant investments in cybersecurity technologies have bought them.
Using cybersecurity analytics to gauge performance outcomes
Executive leadership may very well look at recent cybersecurity attacks in both shock and wonder; shock at the scale and implications of the attacks; and wonder about how, with average annual cybersecurity expenditures numbering in the hundreds of millions of dollars, these attacks even took place. They may ask, where is all of that money going? What is it getting us?
Answering those questions requires cybersecurity analytics that tie organizations’ overall risk and security postures directly back to business outcomes. CISOs and their security teams must be able to dig deep into their performance cybersecurity metrics and use that data to address several key points that are top of mind with company leadership:
- How does cybersecurity performance compare to competitors or the company’s industry as a whole?
- How did the company’s cybersecurity performance improve over last year? (This is a particularly compelling question to be able to answer, especially in light of the rise in attacks over the course of 2020)
- Did the time it takes for the organization to patch known vulnerabilities and address security concerns increase or decrease?
- Is the organization more or less at risk from our third-party vendors?
In other words, it’s not enough to capture the risk the organization faces, and mitigate that risk. CISOs must showcase the business outcomes their cybersecurity initiatives are driving. Essentially, they need to make a case for their cybersecurity initiatives and show they are making a tangible, demonstrable difference in their organizations.
This requires more than a report proving the company mitigated 10,000 phishing attacks over the past year. While that sounds impressive, those numbers mean nothing to executive leadership without some form of context into how that mitigation impacted the business. Leadership needs metrics that show their cybersecurity dollars are being well spent. Tools that offer security performance management and third-party risk management help because they provide perspective into how organizations are doing relative to their markets and overall risk levels.
Executives are business experts, not cybersecurity professionals
When presenting these metrics, it’s important for CISOs to remember who they’re talking to. Just because leadership might have a vested interest in their organizations’ cybersecurity initiatives doesn’t mean they understand (or even want to understand) everything that goes into those initiatives. Hence, it’s important for information to be presented in a highly consumable way that allows top executives and board members in their language. (Either through a cybersecurity dashboard or easy to digest reports)
Business leaders respond to numbers. CISOs must present them with measurable metrics that show that cybersecurity efforts are working and positively impacting their bottom lines. Analysis surrounding reduction in the number of cybersecurity incidents over a period of time, or how cybersecurity efforts have led to reduced risk or business growth are good data points to share. Establishing clear and measurable goals and KPIs is also important to establish accountability and show the cybersecurity team is hitting its marks.
There are many more strategies CISOs need to consider as executives continue to hone in on the effectiveness and ROI of their organizations’ cybersecurity programs. Many of these strategies are detailed in our complimentary ebook, CISO’s Guide to Reporting to the Board. In it, CISOs will learn about how to validate their cybersecurity efforts to organizational leadership in ways that will resonate with top executives and board members.
That resource is and will undoubtedly continue to be more important than ever. Because cybersecurity is no longer an afterthought, and the executive suite is paying close attention.