Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
This piece provides information security teams with examples of metrics that matter to board members and executives along with guidance for presenting the data in a way that makes it easy for leadership to understand and act on.
We highlight the following meaningful information security metrics for teams to track for executive leadership:
Consider sticking to reporting on items you can control. You can’t control how many attacks you face, how much email you receive, etc. If it’s not something you can control and improve, crafting a compelling story becomes difficult. When reporting
on security metrics that matter to executive leadership, it is important to keep your eye on the goal. What is it you are trying to help leadership see and understand, and what actions are you hoping to spur? Figure out the stories you want to tell
and the changes you want made, and then align your graphics to support that.
With penetration tests, teams usually need to show what was found and what the current state of remediation is. The cleanest way to do that is with a dual bar chart. Show the number of original findings and the number of findings left to remediate. We
suggest displaying it as a function of spend, so it’s clear how the cost of remediation affects the status (see Figure 1).
In the above penetration test result chart, it’s easy to see the pen test report results that
cost most are still left to remediate, perhaps due to budget constraints. You could use a similar chart to show time required in hours, which would help tell a similar story for resource constraints.
Vulnerability scan metrics are usually presented in line charts. Let’s assume your organization has committed to a 15-day window to patch critical vulnerabilities, a 30-day window to patch highs and a 60-day window to patch mediums/lows. Consider
using a red line to show the number of critical vulnerabilities that are still not patched 15 days out, an orange line to show the number of highs still not patched 30 days out and so on (see Figure 2).
You might also want to present the number of vulnerabilities you don’t plan to address and why. This can be done in a way like the penetration test chart in Figure 1. Use one bar for criticals and cost numbers, whatever makes the most sense. List
the projects and what you would need to do to fix them.
When it comes to reporting on the effectiveness of your phishing program,
a good story to consider conveying to leadership might be that as the number of people attending phishing training increases, the number of people clicking on phishing emails drops. And that can be shown in a bar chart (see Figure 3).
You might also want to show this by business unit. Another interesting phishing metric is to show the number of users who are trained vs. those who click on phishing emails by type of campaign, e.g., a delivery service (UPS/FedEx) scam, mergers and acquisitions
(M&A), taxes, spear-phishing, etc.
POA&M metrics can usually be shown most easily in a simple trend line. An option here is to show the targets by quarter and whether those targets are met over time. Since each project will have different plans of action, they should each have their
own graphic for reporting (see Figure 4).
In terms of ingestion into your SIEM, consider creating a graphic similar to the POA&M example, with a similar trend line showing non-critical servers vs. critical servers (see the Sumo Logic example in Figure 5).
As for endpoint security metrics, consider using a pie chart as most individuals can read them easily, so there’s a good case to be made for usability.
Consider showing lost productivity by hours, using categories like malware rebuilds, phishing cleanup, investigation, and hardware failure (see Figure 6).
Reporting on these by business unit is also a possibility, perhaps showing Business Unit 3 is losing the most time to malware rebuilds. If malware rebuilds are taking an increasing amount of time and contributing to increasing amounts of lost productivity,
a case can be made for better blocking technology. The idea is to report on the pain points and show a complete picture of the situation.
The idea here is to help executive leadership visualize the process. Consider using a stacked bar chart to present metrics on event occurrence, detection, containment, remediation, and strategic prevention for a variety of different events (see Figure
When presenting metrics to the C-suite and other executive leaders,
it’s important to be clear and keep your story front and center. To be successful:
RELATED CONTENT: How Information Security Leaders Can Engage the Board Effectively
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.