Making Cybersecurity Metrics Meaningful for the Board of Directors

communicating change

By Bhavin Shah, Senior Consultant

The cyber threat landscape

Cybersecurity incidents have rapidly increased in the last few years. In response, organizations have spent billions handling data breaches, ransomware and other cyberattacks in reactive mode. This trend will continue as the competitive business landscape, digital business strategy and technological advancements continuously change organizations’ attack surfaces. Tactics used by cybersecurity criminals – and, therefore, the threat vectors – will continue to evolve.

To address this ever-changing cyber threat landscape you must think out of the box and proactively develop the next generation of cybersecurity strategy. Just as importantly, to get buy-in for your cybersecurity and data security efforts, you must clearly articulate the measurable business outcomes associated with these efforts to your board of directors… and then back this up with data.

Your board is not interested in your operational metrics

In general, security organizations measure operational metrics like Phishing Click-Through, Ransomware Recovery, MTTC (Mean Time to Contain an incident), MMTR (Mean Time to Repair or Resolve an incident), Operating System Patching Cadence, Unassessed Third Party, MFA Coverage, Endpoint Protection Coverage, Security Training and Privileged Access Management. While these operational metrics are very important to you and your team, they will not resonate with your board of directors unless you also present the real business value associated with them.

You must translate your operational metrics into business value

If you want to get buy-in for your cybersecurity efforts, do not simply present operational/security metrics and other technical data to your board of directors and expect them to understand why this information is important to the business. This data “as is” holds no value for them. Instead, first think in terms of the cybersecurity benefits associated with these metrics, and then translate these cybersecurity benefits into business outcomes and the business value they generate. This business value is what matters most to the board. In this process, the cybersecurity benefits are things such as a reduction of the time during which your environment is vulnerable to exploitation of business-critical functions and unscheduled outages, as well as lower likelihood of data breach, less time to recover from ransomware attacks and resume business operations, lower cybersecurity costs, and more.

Once you have identified quantifiable and measurable cybersecurity benefits, you must take it further in order to demonstrate the business value. How will this effort improve the following?

  • Your overall cybersecurity posture and resilience
  • The number and frequency of partner and customer issues
  • The number and frequency of regulatory issues
  • The security scorecard that you share with your partners
  • The cost of your cyber insurance coverage
  • Your revenue/profit/brand protection
  • Customer, partner and employee trust

For example, say you reduce your average days to patch by 25%. If you simply announce this to the board, they are not likely to understand why they should care. You need to explain that reducing your average days to patch by 25% will reduce the time period during which your environment is vulnerable to exploitation by 50% and result in a 40% improvement in the security scorecard that your organization shares with your partners to help them understand the status of your security posture. Plus, it will also reduce unscheduled outages by 40% and increase uptime to 99.9% availability. All of this, in turn, will provide revenue/profit/brand protection and growth.

Characteristics of good security metrics

While your discussions with your board will focus on business value, your starting point for determining that business value is your security metrics. Having good security metrics is therefore imperative.

Good security metrics enable your organization’s pragmatic decision making to set priorities and investments. They are highly relevant and consistently aligned with business outcomes. They are also useful for industry benchmarking, peer comparisons and measuring security maturity.

Conclusion

If you and your board of directors are not seeing eye-to-eye, CIO Professional Services can provide expert assistance ensuring you are measuring the right things and then demonstrating how your security metrics and initiatives drive business value. Sometimes bringing an experienced third party in to take a fresh look at things can make a world of difference.


About Bhavin Shah

Bhavin Shah is a big-picture thinker and visionary global technology executive whose expertise in driving technology innovation, digital business model transformation and enablement of revenue and business capabilities creates value for customers, opportunities for employees and growth for shareholders  

About CIO Professional Services

Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.

 

 

 

Blog Tags

Image
30 Fastest Growing Companies to Watch 2024 Logo

(650) 575-9255

info@ciops.com

Contact Us Any Time

555 Bryant Street, Suite 339, Palo Alto, CA 94301
Image

Got An Idea? Lets Make It
Happen Today

Just Wanna Chat ? Just let Us Know When