Delivering Board-Level Cybersecurity Metrics that Matter

Cybersecurity is a constantly changing landscape. New vulnerabilities, cyberthreats and attack methods appear while others fade away. Amid all the uncertainty, boards and C-suites must still grapple with these risks and how they could impact business. 

Most companies’ top leaders have come to recognize that cyber risk is business risk, according to a Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook, a report on the evolving perceptions of cyber risk. But there are high-level tradeoffs to consider: spending on cybersecurity programs vs. cyber insurance, for example, or deployment of additional security protocols vs. business productivity and consumer experience. CISOs need to arm their top leaders with the metrics and key performance indicators (KPIs) they need to make the right decisions to mitigate risk.

Board-level metrics should achieve three goals:

• Simplify decision-making: Easy-to-understand information is vital. The board and C-suite usually aren’t technically versed, and they’re too busy to wade through layers of data.
• Focus on business risk: In any CISO’s board presentation, the business context is critical to support cybersecurity decision-making.
• Deliver a cost/benefit analysis: If senior executives lack confidence in a program — and specific tools and methods — they’re less likely to authorize appropriate funding.

Although there’s no template for the right metrics and KPIs — they depend heavily on an organization and its leadership — there are best practices and core metrics common to most cybersecurity frameworks.

Metrics Underpin an Effective Cybersecurity Program

A starting point for any board-level metrics framework is the recognition that every business is a technology company, on some level, and so digital risk is unavoidable. While conditions and events change — this includes everything from work models and technology tools to attack techniques — the common denominator is a need to understand actual risks and financial ramifications.

As a result, it’s essential to apply a strategic focus to events, threats and organizational risks. CISOs must deliver the right level of information to the C-suite and board in terms they understand. Typically, this means presenting only the most salient data and information, keeping things brief and consumable, and avoiding geek-speak and jargon. If a CEO or CFO wants more information, they will ask for it. Conversely, business leaders don’t want to waste their time getting a CISO to clarify their use of jargon or unnecessary technical detail.

Strategic elements such as plans, organizational objectives, costs and outcomes hit the sweet spot. Often, top leaders want a scorecard for how the company is currently performing, how it ranks among peers, what progress it has made (or is making), and where it hopes to be in 12 to 18 months.

ISACA’s Risk IT Professional Practices Lead, Paul Philips, describes success as “finding ways to connect a cybersecurity story to the overarching story that the organizational leadership is telling.” The bottom-line question boards ask is whether “management is doing the right things to move us along in pursuit of our strategic goals.”[1]

8 Board-Level Metrics and KPIs

The bad news is that the cybersecurity industry itself lacks consensus on metrics, which can complicate such basic risk management calculations as industry benchmarking and comparative technology evaluations. The good news is that the following eight factors can still play a role in developing powerful and entirely useful board-level metrics.

• Intrusion attempts vs. actual security incidents: At the least, this metric offers a lens into the efficacy of cybersecurity protections. It’s even more useful if the data is correlated with costs and presented on a trend line.
• Mean time to detect: This indicator shows how rapidly a company is identifying critical vulnerabilities and cyberattacks. It’s particularly valuable when it can be compared with industry norms and top performers.
• Mean time to respond: The longer an incident drags on, the higher the costs. This data, especially when tracked over time, demonstrates how effective systems are in neutralizing critical vulnerabilities and attacks.
• Mean time to contain: Gauging how well a company performs when a critical vulnerability or attack appears is at the core of fast containment — and minimizing additional risks and costs.
• Time to recover: An effective attack can impact customers, employees and business partners in very real ways. Downtime puts a company at risk. How fast an organization gets systems back online is crucial.
• Human investment: Human error is a significant factor in cybersecurity. An effective training strategy along with drills can greatly diminish phishing success rates. Leading security awareness training programs can reduce clicks on bad links and other undesirable behavior, while also delivering risk scores that track employees’ improvement.
• Security and regulatory compliance: Adhering to a growing spate of regulations, including privacy rules like Europe’s General Data Protection Regulation and the California Consumer Privacy Act, tops the list of concerns for the board and C-suite, who typically exhibit deep concerns about noncompliance, penalties and related reputational risk.
• Cost/benefit analysis: As companies look to advance and evolve cybersecurity programs, it’s critical to understand what’s working, what isn’t working and where gaps exist. It’s wise to move beyond a green, yellow and red approach and instead use post-breach forensics and probability-based data. For example, how much might an upgrade lower the probability of a successful ransomware attack, and how much business is at stake?

These eight important factors can be best understood through the lens of actual preparation activities conducted by security teams. Activities such as tabletop exercises, or red/blue/purple teaming exercises, can help simulate disasters and successful cyberattacks so that organizations can better understand their current ability to respond. The importance of organizations regularly testing their defenses cannot be overstated.

The Bottom Line

Identifying the right metrics to present the board and C-suite is central to developing a cybersecurity program equipped for today’s challenges. CISOs should review the metrics and KPIs they use to ensure that they’re business-focused and that they reflect a constantly evolving business, IT, and cybersecurity landscape. Read more in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook.

[1] “Cyber Risk and Communicating to a Board of Directors,” ISACA Podcast.