Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
The purpose of reporting board-level security information is to both succinctly communicate the status of the information security program, and request investments and support for improvements. The purpose of collecting operational metrics is to drive
behavior within a specific information security domain. By unifying board-level and operational-level communications, a CISO can better align and control the overall security program. This piece lists some commonly employed operational metrics and
demonstrates how they can be used to spark meaningful conversations with the board and deliver value to the organization.
A typical approach reporting information security the board-level might
The state of the security program should reflect the operational status of the security activities and controls. In effect, this is a roll-up of the operational metrics. Consider presenting the domains of the security program with red/yellow/green status.
Supplemental slides for any red domains can then delve into the specific operational concerns.
RELATED CONTENT: Guidance for CISOs Presenting to the C-Suite
When rolling up the security capabilities into domains, group them logically and aim for either six (two rows, three columns) or nine (three by three) so you can effectively communicate it all on one slide.
Figure 1 shows an example of a nine-domain security program.
Some commonly used operational metrics across the nine domains with the information security function are outlined here.
To effectively use these information security metrics to communicate to executive leadership and board:
Collect a broad range of measures. This provides historical context that will be useful when evaluating potential changes in the program.
Combine metrics with action. Most metrics are descriptive or diagnostic. By using forecasting and running improvement initiatives, metrics can be predictive or prescriptive.
Roll-up and summarize. Roll up the operational metrics for specific security capabilities into a small number (six or nine recommended) domains, and report on the efficacy of those domains in the board presentation.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 21, 2024
By IANS Research
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.
February 15, 2024
By Alex Sharpe, IANS Faculty
IANS Faculty member Alex Sharpe discusses the risks around AI adoption and provides governance guidance to make your AI launch safe and mitigate risk.
February 13, 2024
By IANS Faculty
Learn how to how to use NIST to modify secure baseline configurations to account for risk and improve security posture.