InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
The purpose of reporting board-level security information is to both succinctly communicate the status of the information security program, and request investments and support for improvements. The purpose of collecting operational metrics is to drive
behavior within a specific information security domain. By unifying board-level and operational-level communications, a CISO can better align and control the overall security program. This piece lists some commonly employed operational metrics and
demonstrates how they can be used to spark meaningful conversations with the board and deliver value to the organization.
A typical approach reporting information security the board-level might
The state of the security program should reflect the operational status of the security activities and controls. In effect, this is a roll-up of the operational metrics. Consider presenting the domains of the security program with red/yellow/green status.
Supplemental slides for any red domains can then delve into the specific operational concerns.
RELATED CONTENT: Guidance for CISOs Presenting to the C-Suite
When rolling up the security capabilities into domains, group them logically and aim for either six (two rows, three columns) or nine (three by three) so you can effectively communicate it all on one slide.
Figure 1 shows an example of a nine-domain security program.
Some commonly used operational metrics across the nine domains with the information security function are outlined here.
NOW LIVE: IANS' 2022 CISO Compensation & Budget Benchmark Survey
To effectively use these information security metrics to communicate to executive leadership and board:
Collect a broad range of measures. This provides historical context that will be useful when evaluating potential changes in the program.
Combine metrics with action. Most metrics are descriptive or diagnostic. By using forecasting and running improvement initiatives, metrics can be predictive or prescriptive.
Roll-up and summarize. Roll up the operational metrics for specific security capabilities into a small number (six or nine recommended) domains, and report on the efficacy of those domains in the board presentation.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 29, 2022
By IANS Faculty
Understand the integration points between information security and enterprise architecture. Find guidance for functional organizational constructs to maintain a solid EA practice.
September 27, 2022
By IANS Research
Learn how to ensure full cyber insurance policy coverage and find 5 tips to help maximize your potential cyber insurance claims.
September 22, 2022
Find information on cyber insurance coverage types along with best practices to choose a cyber insurance carrier and policy for optimal security coverage.