What Cybersecurity Questions the Board Really Wants Answered in Your Next Report

Brian Thomas | December 8, 2020 | tag: Cybersecurity

Boards are increasingly looking at cybersecurity as a crucial part of the business. The problem is, the board doesn’t always know what to look for or how cybersecurity impacts the business. What the board really wants to hear in the next report is how you’re generating results for the organization and how those results are creating ROI on the spend. Here are a few cybersecurity questions and a few metrics that the board really wants to hear about in the next report.

What Are CISO’s Reporting To The Board Now?

According to recent Forrester Consulting report — Better Security And Business Outcomes With Security Performance Management — the most common metrics reported to the board are as follows:

  • 50% Number of malware incidents blocked
  • 50% Percentage of intrusions blocked by firewall/network security
  • 45% cybersecurity ratings
  • 45% Percentage of phishing/malicious emails filtered
  • 40% Number of data loss prevention (DLP) incidents generated

But Forrester is also clear — 4 of these metrics don’t meaningfully communicate exposure or performance — they are specifically measurements of our own efforts and don’t put it into broader context. And Forrester says that CISOs should think twice about reporting them to the board.

What Metrics Does the Board Want To Hear?

When it comes to the substance of your presentation to the board, think of your job in this meeting as telling a story. You need to educate the board on the organizations’ cybersecurity posture, why you chose the metrics you did and what they mean for the business, how the personnel and the budget could affect those metrics so the board can make an informed decision about the company’s security investment.

There are a few different kinds of meetings that a CISO may have with the board, so it’s important tailor your presentation to each type of meeting. 

Here are a few metrics and cybersecurity questions to answer in your next meeting

  1. New CISO meeting the board for the first time

    1. What is your assessment of where we are now?
    2. How do we benchmark against others in our industry or peer group?
    3. What are the KPI’s we should be looking at?
    4. How do those security KPI’s correlate to business outcomes?
    5. What should we be doing differently to meet those KPI’s?
  2. Budget justification and review 

    1. How much have we spent this year vs last year?
    2. Review of KPI’s
    3. Roll up of ROI (how did security improve/not improve relative to spending)
    4. Business impact (how did security enable the business to grow?)
  3. Annual planning and strategy meeting

    1. Review of organization’s overall strategy and plan and how security fits into it
    2. Review of focus areas from last year
    3. KPI update
    4. Current benchmarking against competitors and peers
    5. Changes to risk profile
    6. Findings of independent assessments
    7. Focus areas for the new year
    8. Which areas of the business will be most impacted
    9. Budget requirements
    10. Projected KPI’s and results
  4. Monthly or quarterly status 

    1. Review of KPI’s and highlights from last meeting
    2. Benchmarking update
    3. Major wins/losses to date
    4. Upcoming initiatives
    5. Changes to risk profile
  5. Event-driven board meeting

    1. What happened?
    2. What is the impact?
    3. Is there a regulatory issue?
    4. Have others in the industry been affected?
    5. What remediation efforts have been undertaken?
    6. Projected time to resolution
    7. Expected outcome

In Summary

As Dmitiri Alperovitch, co-founder of Crowdstrike put it, “the responsibility of the board is not be involved operationally and tell the CISO which firewall to buy and which technology to deploy, but it is their responsibility to hold them accountable and make sure they have the resources needed.”

The board most likely has a small amount of security, or even technical, expertise, and it’s important to remember that cybersecurity is just one of many issues they are dealing with. Make sure you’re using KPI’s, metrics and outcomes that translate into business results for the organization. Most boards don’t care about the “bits and bytes” of security, they just want to make sure they’re doing as well or better than the competition, that the organization is minimizing it’s risk, and that there’s a firm ROI on their security budget. If you can answer those cybersecurity questions for them, you’ll find that the board of directions can be a willing partner.

The CISO's Guide to Reporting To The Board

Suggested Posts

4 Tips for Reducing Your Company’s Cyber Exposure

If your organization is like many others, its cyber exposure continues to grow over time. During the pandemic, as attackers sought to exploit unprecedented changes in work environments, 35% of cyberattacks used previously unseen malware...


5 Essential Elements of a Municipal Cyber Security Plan

Cyberattacks on state and local governments are on the rise. In 2020, more than 100 government agencies, including municipalities, were targeted with ransomware – an increasingly popular attack vector

These incidents are costly and...


Do You Have What it Takes to Achieve Digital Resilience?

The term “digital resilience” has gained momentum over the past few years as cybersecurity threats have grown, but what does it really mean? And how can a company become digitally resilient?


Subscribe to get security news and updates in your inbox.