What metrics, reports, or strategies should a security professional utilize to communicate the value to the board? Or is the mode of “presenting to the board” a damaged approach?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Barry Caplin (@bcaplin), executive leadership partner, Gartner.
Thanks to this week’s podcast sponsor, Anomali
Got feedback? Join the conversation on LinkedIn.
On this episode of Defense in Depth, you’ll learn:
- A conversation with the board begins with a discussion of what risk is. But getting that information out of the board is far from a simple task. Vague answers are not helpful.
- Here’s NACD Director’s Handbook on Cyber-Risk Oversight
- Metrics are of value to the board, but avoid offering up tactical metrics. Instead, utilize strategic metrics.
- Once risk appetite is understood and agreed upon, then it’s appropriate to begin a discussion of the security program’s maturity.
- Caplin recommends a four-slide presentation for the board:
- Where we were, problem areas identified per risk and maturity.
- What we spent and a bit of why we spent.
- Where we are now (metrics come into play here). Best to show how much progress you’ve made in implementing security programs.
- Where we want to go next, and what the next ask is.
- If you’re going to show a metric, it should answer a very specific question for the board.
- If you are going to show one metric, the most popular one is dwell time or the time between when an attack happens, when you discover it, and when it’s remediated.
- The one metric of dwell time provides a lot of information as to the maturity of a CISO’s security program as it coincides with its ability to respond to incidents.
- Some CISOs aim for a storytelling approach completely avoiding metrics because metrics have unfortunately led the board down the wrong path. It’s either the wrong metrics, too detailed of a metric, or metrics not tied to business risk or to a maturity model.