Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
For CISOs presenting security metrics to the C-suite, we suggest focusing on three main metrics: high-level stats that get attention, framework-based stats that provide assurance and finer-grained data that demonstrates rigor. This piece provides security
leaders with recommendations on how to use those three tips to provide executives and board members with the insights necessary to make strong risk management decisions.
For CISOs and other security leaders presenting to the C-suite,
we recommend starting high-level and qualitative, and then drilling down into empirical measurements. Consider the following three tips:
Board members do care about security, and they will tell you they do. However, when you walk into the room, you need to draw them into your material – into your headline to ensure you have their focus and attention. A good way to try and do that
is to connect to something relevant. Consider leading with something that already occupies a part of their attention, such as recent threats in the news.
Take the SolarWinds breach.
Board members are all over this. Most have generalized it to broader supply chain attacks. The topic of supply chain security brings in a myriad of cyber risk topics, like assurance (vulnerabilities/configurations), third-party
risk management (public cloud, etc.), software development lifecycle (SDLC) and more. Boards (if not already) will likely be leaning into this topic with the CISOs. Supply chain is becoming the new No. 1 cyber risk driving budgets. For right or wrong,
this is how it works.
From a metrics perspective, then, you can consider listing out both the capabilities relevant to this threat and those at risk in your organization. These measures should be more qualitative. They are meant to be drilled into. It’s here where you
would want to connect to the next level of metrics.
GET STARTED: CISO Compensation & Budget Benchmark Survey
For better or worse, your board and peer executives need constant assurance. With the first set of metrics, you have demonstrated you are thinking about threats. You have shown how those threats are relevant to your program and its capabilities, and you
have shown where there are opportunities for improvement.
Now, consider talking about your internal capabilities and connect them to an outside perspective. This is where you can build trust by using a framework supported by an outside authority. A suggested go-to is the NIST Cybersecurity Framework (CSF).
The NIST CSF is organized around five macro capability areas: identify, protect, detect, respond, and recover. It also provides several tiers or maturity levels (the CSF tries to make a case for the tiers not being maturity levels – but then goes
on to lay out how you use them to that very end).
You can make a case for supply chain assurance cutting across all the functions. For example:
Decompose each of the five capabilities into key “measurable” sub-capabilities, like the bullets above. Then assign measurement achievements, or key performance indicators (KPIs), for each sub-capability based on the CSF tiers.
Figure 1 below shows an example with just three of the NST CSF functions (protect, detect, respond) with modern sub-categories under each.
The KPI is a measurement that represents the tier of maturity you have achieved within that sub-category. For example, one of the maturity KPIs for vulnerability management (within CSF’s protect area) could be 90 percent scan coverage. You would
also likely have KPIs for remediation efficiency and more.
Figure 2 shows a portion of a NIST CSF-based dashboard that incorporates the categories in Figure 1.
Each KPI has more detailed metrics that support it, and that’s where you can demonstrate rigor. However, if detailed metrics are included in a board presentation, they should be in an appendix. Most board-level conversations happen at the framework
(assurance) level, not the detailed metric level.
For example, the CSF function of “protect” has the sub-category of “vulnerability management.” Vulnerability management has KPIs around “coverage” and “remediation management” and more. Figure 3 on shows
an example of metrics detail for remediation management (burndown).
When CISOs are presenting information security metrics to the board or other C-level executives, it’s important to keep the three categories of metrics front and center:
RELATED CONTENT: How Information Security Leaders Can Engage the Board Effectively
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.