Boards are increasingly looking at cybersecurity as a crucial part of the business. The problem is, the board doesn’t always know what to look for or how cybersecurity impacts the business. What the board really wants to hear in the next report is how you’re generating results for the organization and how those results are creating ROI on the spend. Here are a few cybersecurity questions and a few metrics that the board really wants to hear about in the next report.
According to recent Forrester Consulting report — Better Security And Business Outcomes With Security Performance Management — the most common metrics reported to the board are as follows:
But Forrester is also clear — 4 of these metrics don’t meaningfully communicate exposure or performance — they are specifically measurements of our own efforts and don’t put it into broader context. And Forrester says that CISOs should think twice about reporting them to the board.
When it comes to the substance of your presentation to the board, think of your job in this meeting as telling a story. You need to educate the board on the organizations’ cybersecurity posture, why you chose the metrics you did and what they mean for the business, how the personnel and the budget could affect those metrics so the board can make an informed decision about the company’s security investment.
There are a few different kinds of meetings that a CISO may have with the board, so it’s important tailor your presentation to each type of meeting.
As Dmitiri Alperovitch, co-founder of Crowdstrike put it, “the responsibility of the board is not be involved operationally and tell the CISO which firewall to buy and which technology to deploy, but it is their responsibility to hold them accountable and make sure they have the resources needed.”
The board most likely has a small amount of security, or even technical, expertise, and it’s important to remember that cybersecurity is just one of many issues they are dealing with. Make sure you’re using KPI’s, metrics and outcomes that translate into business results for the organization. Most boards don’t care about the “bits and bytes” of security, they just want to make sure they’re doing as well or better than the competition, that the organization is minimizing it’s risk, and that there’s a firm ROI on their security budget. If you can answer those cybersecurity questions for them, you’ll find that the board of directions can be a willing partner.
When it comes to reporting to the board, there are plenty of tools at the CISO’s disposal. Looking at the right metrics and putting them in the right context can help turn your next board meeting into a source of confidence, not stress....
Remote work has always introduced unique and evolving cyber risks. In our “new normal” operating environment, where entire workforces have gone remote, IT security teams are facing an unprecedented challenge.
The payment card industry (PCI) has long been a Holy Grail target for bad actors for obvious reasons. Visa, Mastercard, and American Express account for the bulk of the consumer financial activity in the United States. Breaching them would...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469