22.02.2021

Top Tips for reporting Cyber metrics

With all companies utilising technology more than ever within their everyday running, the risks in terms of cybersecurity are also increased with each system that moves into a digital format. As cybersecurity can be a very technical field, a natural concern would be how reporting cyber metrics to a Board of Directors should be handled?

When it comes to implementing a company-wide cybersecurity policy, security managers such as CISOs, CIOs, or BISOs often are met with unavoidable obstacles. Insufficient resources and budgets, and a lack of understanding of risks at the highest level, are typical issues. Since an organisation’s governance directly involves the board, it’s vital for that board to be cyber aware and support the implementation of a cybersecurity strategy. 

There has however been a shift and ever increasingly cybersecurity is moving from the technical sphere and into the boardroom. Board members now are beginning to understand the importance of good cybersecurity practices in the digital world we find ourselves in. Many companies have renewed their boards of directors with younger directors who are more aware of the need to pay closer attention to cybersecurity and the importance of creating a company wide policy that makes reporting a simple process for employees .

When discussing cybersecurity issues and metrics with a board of direcors, the topic needs to be broken down and addressed in a clear, relevant and convincing manner. Looking at individual barriers to cybersecurity solutions at board level is a great way to simplify reporting cybersecurity:

1. Understanding the of the Board of Directors
2. Simplify ultra–technical terms
3. Convey real-life examples
4. Use metrics to show potential impacts
5. Discuss metrics inline with overall strategies
6. Focus on the facts
7. Look at overall risk management
8. Explain clearly the importance of cybersecurity 
9. Make your case clearly and precisely 

1) Understanding the Board of Directors. 
Regardless of the industry, size or maturity of an organisation, in terms of technology and cybersecurity, a successful presentation will depend on the audience’s knowledge of the field. CISOs should have an idea of the director’s backgrounds, their respective roles and responsibilities and their influence in the organisation. The more you know about each board member, the easier it will be to discuss cybersecurity and metrics effectively and convince them of the importance of these. 

2)Simplify ultra-technical terms 
It’s likely the board isn’t very familiar with the technical language used to describe cyber metrics and cybersecurity therefore using simplified terms, will help you convey the information to the board members and enable them to understand.
Focusing on scenarios and comparisons with other types of more traditional security such as banking and physical security will put cybersecurity into relatable terms. For example, terms such as SIEM, DDoS, and MITM attacks will mean nothing to someone without an interest in such and could be replaced with more familiar concepts such as risk management, cyber-attacks, and security principles.

3)Convey real life examples
You should always make sure the metrics you are reporting are supported by definitive examples. This will help board members understand the importance of what you are saying.
For example, the company’s level of cybersecurity could be presented with a simple traffic light system or number scale depending on the risks the organisation faces. The impact of certain cyber threats could be highlighted by recent known instances, showing the potential consequences which may include the physical costs of a specific type of attack. This will help the board understand the necessity of a cybersecurity policy and more about the risks of not implementing appropriate cybersecurity measures.

4)Use metric to show potential impacts
Explain and discuss topics of interest and importance such as the potential impact of an attack on the company’s reputation, the potential financial impact and make clear the responsibility of the board members to prevent these. Putting cybersecurity into actual figures is going to drive the importance of it to the forefront of the board’s priorities. 

5)Discuss metics inline with overall strategies.
Before talking to the board, familiarise yourself with the company’s overall strategy and objectives. Whatever metrics and cyber strategy you are discussing, it will be useless if it does not fit the overall strategy of the organisation. Remember, the board is mostly interested in the high-level strategy rather than technical details so all information you discuss with them should help show how it will help the organisation achieve its business objectives overall.This will help you make your case as the board will typically take a holistic view of the organisation. 

6)Focus on the facts
Boards typically only meet periodically and their time is precious. When reporting cyber metrics, it’s important to be clear and concise focusing on the critical elements. You need to be able to get to the point as quickly and clearly as possible. The board will appreciate a straightforward presentation and useful data as it will allow them to make informed decisions.

7)Look at overall risk management
Companies usually have limited resources to manage cyber risks, the board’s top priority will be to ensure that those risks are properly managed. Make sure the metrics you are reporting will have a lasting impact on the board and be of value to the company. Metrics should focus on key strategies that can help improve the organisation’s cybersecurity. By talking in terms of risk management and using appropriate metrics and clear language, the board will better understand the importance of their role in protecting the organisation’s cybersecurity.

8)Explain clearly the importance of cybersecurity
Collating facts and figures, presenting them in an understandable way and being prepared and able to answer questions clearly and accurately is imperative. When reporting metrics, Board members are likely to ask specific questions about the organisation’s current strategy, how it needs to evolve and why.

 9) Make your case clearly and precisely 
Data can be overwhelming, especially if it’s not within your field of expertise. Find relevant figures and statistics and present them in a readable and measurable way to make your point, less is more in this instance. When discussing a change in cybersecurity strategy, metrics can make all the difference. For instance, a new strategy may require an 8% budget increase, but will generate a measurable return on investment because risk exposure will decrease by 25%. Knowing the significant and verifiable figures and metrics and presenting them in a relatable way will be key to convincing the board.

In order for a cybersecurity strategy to be effective and bring lasting and significant change therefore CISOs need to be smart and prepared when discussing cybersecurity with the board of directors. Time with the board is often limited, so focus on the most important elements and use clear metrics to ensure cybersecurity is taken seriously.

If the metrics are clear, relevant, and linked to the company’s overall operations, policies and priorities there’s a greater chance of getting the board’s understanding and support.  

Posted by: Rock Consulting