InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
The purpose of reporting board-level security information is to both succinctly communicate the status of the information security program, and request investments and support for improvements. The purpose of collecting operational metrics is to drive
behavior within a specific information security domain. By unifying board-level and operational-level communications, a CISO can better align and control the overall security program. This piece lists some commonly employed operational metrics and
demonstrates how they can be used to spark meaningful conversations with the board and deliver value to the organization.
A typical approach reporting information security the board-level might
The state of the security program should reflect the operational status of the security activities and controls. In effect, this is a roll-up of the operational metrics. Consider presenting the domains of the security program with red/yellow/green status.
Supplemental slides for any red domains can then delve into the specific operational concerns.
RELATED CONTENT: Guidance for CISOs Presenting to the C-Suite
When rolling up the security capabilities into domains, group them logically and aim for either six (two rows, three columns) or nine (three by three) so you can effectively communicate it all on one slide.
Figure 1 shows an example of a nine-domain security program.
Some commonly used operational metrics across the nine domains with the information security function are outlined here.
To effectively use these information security metrics to communicate to executive leadership and board:
Collect a broad range of measures. This provides historical context that will be useful when evaluating potential changes in the program.
Combine metrics with action. Most metrics are descriptive or diagnostic. By using forecasting and running improvement initiatives, metrics can be predictive or prescriptive.
Roll-up and summarize. Roll up the operational metrics for specific security capabilities into a small number (six or nine recommended) domains, and report on the efficacy of those domains in the board presentation.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.