InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
This piece provides information security teams with examples of metrics that matter to board members and executives along with guidance for presenting the data in a way that makes it easy for leadership to understand and act on.
We highlight the following meaningful information security metrics for teams to track for executive leadership:
Consider sticking to reporting on items you can control. You can’t control how many attacks you face, how much email you receive, etc. If it’s not something you can control and improve, crafting a compelling story becomes difficult. When reporting
on security metrics that matter to executive leadership, it is important to keep your eye on the goal. What is it you are trying to help leadership see and understand, and what actions are you hoping to spur? Figure out the stories you want to tell
and the changes you want made, and then align your graphics to support that.
With penetration tests, teams usually need to show what was found and what the current state of remediation is. The cleanest way to do that is with a dual bar chart. Show the number of original findings and the number of findings left to remediate. We
suggest displaying it as a function of spend, so it’s clear how the cost of remediation affects the status (see Figure 1).
In the above penetration test result chart, it’s easy to see the pen test report results that
cost most are still left to remediate, perhaps due to budget constraints. You could use a similar chart to show time required in hours, which would help tell a similar story for resource constraints.
Vulnerability scan metrics are usually presented in line charts. Let’s assume your organization has committed to a 15-day window to patch critical vulnerabilities, a 30-day window to patch highs and a 60-day window to patch mediums/lows. Consider
using a red line to show the number of critical vulnerabilities that are still not patched 15 days out, an orange line to show the number of highs still not patched 30 days out and so on (see Figure 2).
You might also want to present the number of vulnerabilities you don’t plan to address and why. This can be done in a way like the penetration test chart in Figure 1. Use one bar for criticals and cost numbers, whatever makes the most sense. List
the projects and what you would need to do to fix them.
When it comes to reporting on the effectiveness of your phishing program,
a good story to consider conveying to leadership might be that as the number of people attending phishing training increases, the number of people clicking on phishing emails drops. And that can be shown in a bar chart (see Figure 3).
You might also want to show this by business unit. Another interesting phishing metric is to show the number of users who are trained vs. those who click on phishing emails by type of campaign, e.g., a delivery service (UPS/FedEx) scam, mergers and acquisitions
(M&A), taxes, spear-phishing, etc.
POA&M metrics can usually be shown most easily in a simple trend line. An option here is to show the targets by quarter and whether those targets are met over time. Since each project will have different plans of action, they should each have their
own graphic for reporting (see Figure 4).
In terms of ingestion into your SIEM, consider creating a graphic similar to the POA&M example, with a similar trend line showing non-critical servers vs. critical servers (see the Sumo Logic example in Figure 5).
As for endpoint statistics, consider using a pie chart as most individuals can read them easily, so there’s a good case to be made for usability.
Consider showing lost productivity by hours, using categories like malware rebuilds, phishing cleanup, investigation, and hardware failure (see Figure 6).
Reporting on these by business unit is also a possibility, perhaps showing Business Unit 3 is losing the most time to malware rebuilds. If malware rebuilds are taking an increasing amount of time and contributing to increasing amounts of lost productivity,
a case can be made for better blocking technology. The idea is to report on the pain points and show a complete picture of the situation.
The idea here is to help executive leadership visualize the process. Consider using a stacked bar chart to present metrics on event occurrence, detection, containment, remediation, and strategic prevention for a variety of different events (see Figure
When presenting metrics to the C-suite and other executive leaders,
it’s important to be clear and keep your story front and center. To be successful:
RELATED CONTENT: How Information Security Leaders Can Engage the Board Effectively
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.