Key Information Security Metrics and Board of Directors
By Angela Polania
Lately, I have been speaking with various clients about what should be reported to the board of directors and what actually matters to them. Obviously, one size does not fit all, but, as with anything that is presented to the senior management and the board, it has to be concise, relevant, important and in plain English.
For instance, NACD (National Association of Corporate Directors), a global organization that trains and establishes boardroom best practices, provides extensive guidance and even offers a certificate program to its members (board of directors of public and private companies) on cyber security oversight.
So, what are some of the suggested metrics and information you may want to display and provide to your board and senior leadership? From our experience, we have seen the following metrics and information provided consistently:
Cyber Risk Index in categories such as product risk (if companies are developing products), internal enterprise risk, vendor management, consumer facing, etc.
Overtime spent on Cyber Security and breakdown by activities (e.g. preventive, detective, breach response and containment, etc.).
Number of incidents related to exposed sensitive data and explanations on root cause.
Top findings and changes over time in audits, assessments, etc.
Top risk areas showing improvements overtime with trends and impact.
Moreover, dashboards that display the risk level and overall trends toward maturity are very helpful. You may want to capture the overall risk level by area (e.g. IT risk management, user awareness and training, vendor management, IT operations etc.), with information about findings from audits and assessments and show the trend over time for improvement and or/ areas requiring attention over time.
Regardless of the maturity of your program, company size and regulatory landscape, Cyber Security leaders should maintain, at a minimum, quarterly key metrics, information available to track the program, the improvements and areas of risks, and key information requested by management at their fingertips. As the saying goes, if it is not tracked, it cannot be measured.