What are some metrics or KPIs that you’ve found particularly effective for clearly communicating risk to your board?
Sort By:
Oldest
CIO in IT Services23 days ago
You should never give metrics to the board. They can't handle that kind of detail. They don't want it, and you have to keep it simple. They're non-technical. There’s always someone aware of cyber issues, but it would be completely over their head. I counsel a lot of CISOs on this. In the background of our operations, we're being attacked millions of times a month, depending on the size of your organization. Their heads would explode if they knew that. They’re just interested in the fact that you're not being breached and everything's going well. You don't want to open up that box to try to explain how and why you're being attacked so many times. It's beyond their scope, and you don't want to head down that path.Senior Information Security Manager in Software23 days ago
You must know the board. After a while, you get to know who they are, what type of information they like, and what interests them. Speak to them accordingly. There was a joke by a reporter years ago who asked the Dalai Lama if he wanted a pizza with everything. It was a cute joke if you understand English and the culture, but the Dalai Lama didn’t, and it was extraordinarily awkward. With the board, you have to understand their language and culture. If they're not fluent in English, you can't use certain cultural references, and you may need to speak a little slower. There's a soft aspect to it—giving them the information they want in a way they can understand can make a significant impact. It can determine whether they see you as a valuable resource or prefer someone different.
The KPIs we present include:
Social Engineering / Phishing Simulation testing results, Third-party/Delegated Vendor Security Posture, Reportable Breaches, Security Operations (Incident Detection, Response, Escalation SLAs, Behavioral (Human & Assets) Analytics, Security Hygiene (patching cadence, Email quarantine rate, Annual Risk Assessment results, Security/Privacy/Compliance mitigation workplan updates, Investigations (Lost/Stolen equipment, unreturned equipment, HR/Compliance Investigation volume, SecDevOps code remediation, Overall company security posture, Overall status relative to regulatory reporting and year-end attestations.
We make an effort to provide as much simple visualizations as possible outlining quarter/quarter trends. If meaningful, the year-end presentation includes a security roadmap outlining new security initiatives and services and services slated for sunset.
I try to keep away from actual statistics as they can become very difficult to understand for the audience.