What Cybersecurity Questions the Board Really Wants Answered in Your Next Report

Boards are increasingly looking at cybersecurity as a crucial part of the business. The problem is, the board doesn’t always know what to look for or how cybersecurity impacts the business. What the board really wants to hear in the next report is how you’re generating results for the organization and how those results are creating ROI on the spend. Here are a few cybersecurity questions and a few metrics that the board really wants to hear about in the next report.

What Are CISO’s Reporting To The Board Now?

According to recent Forrester Consulting report — Better Security And Business Outcomes With Security Performance Management — the most common metrics reported to the board are as follows:

• 50% Number of malware incidents blocked
• 50% Percentage of intrusions blocked by firewall/network security
• 45% cybersecurity ratings
• 45% Percentage of phishing/malicious emails filtered
• 40% Number of data loss prevention (DLP) incidents generated
•  

But Forrester is also clear — 4 of these metrics don’t meaningfully communicate exposure or performance — they are specifically measurements of our own efforts and don’t put it into broader context. And Forrester says that CISOs should think twice about reporting them to the board.

What Metrics Does the Board Want To Hear?

When it comes to the substance of your presentation to the board, think of your job in this meeting as telling a story. You need to educate the board on the organizations’ cybersecurity posture, why you chose the metrics you did and what they mean for the business, how the personnel and the budget could affect those metrics so the board can make an informed decision about the company’s security investment.

There are a few different kinds of meetings that a CISO may have with the board, so it’s important tailor your presentation to each type of meeting. 

Here are a few metrics and cybersecurity questions to answer in your next meeting

1. New CISO meeting the board for the first time

1. What is your assessment of where we are now?
2. How do we benchmark against others in our industry or peer group?
3. What are the KPI’s we should be looking at?
4. How do those security KPI’s correlate to business outcomes?
5. What should we be doing differently to meet those KPI’s?

2. Budget justification and review 

1. How much have we spent this year vs last year?
2. Review of KPI’s
3. Roll up of ROI (how did security improve/not improve relative to spending)
4. Business impact (how did security enable the business to grow?)

3. Annual planning and strategy meeting

1. Review of organization’s overall strategy and plan and how security fits into it
2. Review of focus areas from last year
3. KPI update
4. Current benchmarking against competitors and peers
5. Changes to risk profile
6. Findings of independent assessments
7. Focus areas for the new year
8. Which areas of the business will be most impacted
9. Budget requirements
10. Projected KPI’s and results

4. Monthly or quarterly status 

1. Review of KPI’s and highlights from last meeting
2. Benchmarking update
3. Major wins/losses to date
4. Upcoming initiatives
5. Changes to risk profile

5. Event-driven board meeting

1. What happened?
2. What is the impact?
3. Is there a regulatory issue?
4. Have others in the industry been affected?
5. What remediation efforts have been undertaken?
6. Projected time to resolution
7. Expected outcome

In Summary

As Dmitiri Alperovitch, co-founder of Crowdstrike put it, “the responsibility of the board is not be involved operationally and tell the CISO which firewall to buy and which technology to deploy, but it is their responsibility to hold them accountable and make sure they have the resources needed.”

The board most likely has a small amount of security, or even technical, expertise, and it’s important to remember that cybersecurity is just one of many issues they are dealing with. Make sure you’re using KPI’s, metrics and outcomes that translate into business results for the organization. Most boards don’t care about the “bits and bytes” of security, they just want to make sure they’re doing as well or better than the competition, that the organization is minimizing it’s risk, and that there’s a firm ROI on their security budget. If you can answer those cybersecurity questions for them, you’ll find that the board of directions can be a willing partner.