Executive leadership may very well look at recent cybersecurity attacks in both shock and wonder; shock at the scale and implications of the attacks; and wonder about how, with average annual cybersecurity expenditures numbering in the hundreds of millions of dollars, these attacks even took place. They may ask, where is all of that money going? What is it getting us?
Answering those questions requires cybersecurity analytics that tie organizations’ overall risk and security postures directly back to business outcomes. CISOs and their security teams must be able to dig deep into their performance cybersecurity metrics and use that data to address several key points that are top of mind with company leadership:
In other words, it’s not enough to capture the risk the organization faces, and mitigate that risk. CISOs must showcase the business outcomes their cybersecurity initiatives are driving. Essentially, they need to make a case for their cybersecurity initiatives and show they are making a tangible, demonstrable difference in their organizations.
This requires more than a report proving the company mitigated 10,000 phishing attacks over the past year. While that sounds impressive, those numbers mean nothing to executive leadership without some form of context into how that mitigation impacted the business. Leadership needs metrics that show their cybersecurity dollars are being well spent. Tools that offer security performance management and third-party risk management help because they provide perspective into how organizations are doing relative to their markets and overall risk levels.
When presenting these metrics, it’s important for CISOs to remember who they’re talking to. Just because leadership might have a vested interest in their organizations’ cybersecurity initiatives doesn’t mean they understand (or even want to understand) everything that goes into those initiatives. Hence, it’s important for information to be presented in a highly consumable way that allows top executives and board members in their language. (Either through a cybersecurity dashboard or easy to digest reports)
Business leaders respond to numbers. CISOs must present them with measurable metrics that show that cybersecurity efforts are working and positively impacting their bottom lines. Analysis surrounding reduction in the number of cybersecurity incidents over a period of time, or how cybersecurity efforts have led to reduced risk or business growth are good data points to share. Establishing clear and measurable goals and KPIs is also important to establish accountability and show the cybersecurity team is hitting its marks.
There are many more strategies CISOs need to consider as executives continue to hone in on the effectiveness and ROI of their organizations’ cybersecurity programs. Many of these strategies are detailed in our complimentary ebook, CISO’s Guide to Reporting to the Board. In it, CISOs will learn about how to validate their cybersecurity efforts to organizational leadership in ways that will resonate with top executives and board members.
That resource is and will undoubtedly continue to be more important than ever. Because cybersecurity is no longer an afterthought, and the executive suite is paying close attention.
It’s hard to believe, but BitSight is celebrating our 10 year anniversary this week! I co-founded BitSight in 2011 with my friend and grad school classmate, Nagarjuna Venna. When I think back at our original idea of creating a global...
Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a...
A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil...