• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

The CISO’s Guide to Reporting Cybersecurity to the Board

04/06/2020

Organizations have multiple stakeholders, all of whom have varying levels of cybersecurity knowledge and interest. As a CISO, you need to be able to demonstrate the effectiveness of the cybersecurity solutions you employ with regard to each stakeholders’ area of expertise. Using key performance indicators (KPIs) provides visibility into your network infrastructure which you can use to answer performance-related questions when presenting. This will allow you to explain business risks and mitigation strategies in terms your board of directors will understand, ensuring that all parties are aligned.

Determining presentation goals and style

When creating your presentation, you should only include relevant information and focus on being concise with your explanations. Succinctly presenting cybersecurity performance makes it easier for board members to absorb the information that you are sharing with them. Using KPI data is recommended as it provides context into cybersecurity programs that can be used by the board when assigning a budget for cybersecurity.

Selecting the right cybersecurity KPIs for a board of directors

From a technical standpoint, you know the primary KPIs for proving effective cybersecurity control monitoring. Some most-used KPIs include:

  • Intrusion Attempts: number of times malicious actors tried to gain unauthorized access to systems, networks, and software
  • Mean Time to Detect (MTTD): Time it took to detect security threats
  • Mean Time to Resolve (MTTR): Time it took to respond to a cyber attack
  • Mean Time to Contain: Time it took to re-secure the attack location
  • Patching Cadence: Frequency of installing security patches
  • Comparison with Peers: Your cybersecurity posture compared to industry peers’ posture
  • Vendor Risk Management (VRM): The way in which your organization mitigates supply chain cybersecurity risk to prevent third-parties from causing a data breach

However, translating these technical data points into management level metrics becomes challenging when reporting to the Board since they give little visibility into the financial and reputational risks.

Can security ratings platforms explain technical KPIs in business language?

The short answer to this is, “not in so many words.” The longer answer is that they do provide you a way to discuss the technical KPIs so that your Board understands both the risks associated with the business and how well you’re managing those risks.

Security ratings, while they may not necessarily use technical language, address all of the KPIs that matter to you as a CISO. As such, they can act as a bridge between your technical knowledge and the Board’s business-focused needs. However, when reporting these metrics, you often need to give not just the “what” but also the “why” when reporting to the Board.

Answering the right questions

Cyber risk management has become integral to organizational success and boards know this. Board members need to know how well equipped their organization is to handle cyber risk. As a CISO, it is your job to relay this information while presenting.

Below is a list of questions you should aim to answer in your presentation:

What is the organization’s cyber risk level?

To convey the overall risk level, you should highlight both your organization’s risk appetite and risk tolerance levels. Risk appetite is a predefined level of risk that is deemed acceptable by an organization. Risk tolerance is the measure of how much risk an organization can handle before becoming unsustainable. Using these measurements allows you to represent your organization’s overall cyber risk as it pertains to cybersecurity performance.

What are the organization’s top risks?

When determining your organization’s top risks you need to evaluate the historical impact individual cyber threats have had on your company’s bottom line. By looking at the financial impact of successful attacks, you can create a qualitative risk analysis and display top risks side by side. This will help you explain where risk is concentrated and which risks require additional attention.

How is the organization’s risk posture trending? Is risk increasing or decreasing?

To see which way your risk posture is trending, you should compare your cybersecurity performance to the organization’s risk appetite statements. Evaluating how well your cybersecurity solutions uphold your risk appetite will give your board an idea of whether risk is increasing or decreasing. Leveraging threat intelligence can help you visualize risk posture and show where improvements can be made.

Is the organization’s level of cybersecurity spending appropriate?

Determining whether or not you are spending enough money on cybersecurity can be difficult as there is no way to quantify the financial loss from a cyber attack until after it has occurred. That said, using data to show the ROI on cybersecurity investments illustrates how effectively money is being spent. Showing the return on investment will influence your board’s cybersecurity budget allocation and ensure that spending is done in a way that sustains your security capabilities.

What is the cyber risk associated with a new business prospect?

New business prospects provide an opportunity for growth, but can also introduce additional cyber risk. Showing the board that you are doing your due diligence when it comes to identifying potential business opportunities is crucial. You should be vetting all prospects to evaluate the general risk they pose to your organization. Additionally, be sure to highlight the processes you have in place to monitor your current partners’ risk.

Explaining key security details to the board

When presenting, it is important to explain cybersecurity matters in a way that both makes sense to and benefits the board.

Here are some examples of how you can explain key cybersecurity matters to your board of directors:

How to explain intrusion attempts

The word to focus on here is “attempt.” Malicious actors will always attempt to gain entrance to data, the question is where cybercriminals focus their attacks and your ability to thwart them.

For example, if you’re continuously monitoring all organizational IP addresses and know the types of information associated with those addresses, you can gain visibility into the key business risks. Assume that, as part of your monitoring, you find that malicious actors focus on IP addresses associated with your corporate website. You know that no customer portal exists on the site, and internal users accessing the backend must use unique logins and passwords. Since the organization doesn’t store non-public information (NPI) on that address and the likelihood of credential theft providing access to systems, networks, and software storing NPI is low, you can tell the Board that the financial risk is low while the reputation risk is medium.

How to explain Mean Time to Detect (MTTD)

Ultimately, the main information you need to give your Board about this metric is: the time was short. The faster you can detect a risk, the more rapidly you can mitigate the threat. If your dashboard shows that you continuously monitor and maintain a consistent security rating, then you can easily explain the link between the two. Your Board can easily see that you maintain a robust security posture as long as you can say, “we were able to detect security threats within hours, meaning that we were able to mitigate them rapidly to prevent additional risk to the organization.”

How to explain Mean Time to Respond (MTTR) and Mean Time to Contain (MTCC)

Unfortunately, despite the best detection methods, malicious actors will more likely than not find a way to infiltrate your organization’s security defenses. Response time, then, becomes the next most important metric for your dashboard. The 2019 IBM Cost of a Data Breach report noted that employing artificial intelligence (AI) platform reduced the costs of a data breach by $230,000 on average. With an AI platform, you can real-time visibility into the threat vector associated with the security incident, meaning that you can more rapidly respond to the threat.

If your security rating platform provides visibility into the risk factor associated with the security incident, you can prove how rapidly your team responded. For example, if the cybercriminals gained access to your systems using a cross-site scripting attack and your platform reviews for web application security as a risk factor, you can easily see the lowered score to respond directly to that issue. Then, you can monitor the risk factor and provide the increased score post-response as a metric for proving rapid response time. Additionally, the improved score gives a metric that provides the Board confidence over your ability to contain the threat. If the improved, post-incident risk factor score stays stable, you can show that the threat has been successfully contained.

How to explain patching cadence

Proving that all systems are continuously updated according to best practices can be challenging. The 2017 Equifax data breach arose from a single unpatched server. With a security rating platform that monitors patching cadence across all endpoints, you can gain insight into how well your organization maintains its patching cadence. A high score for that risk factor indicates that you are appropriately updating all devices, systems, networks, and software to mitigate risk. With this metric, you can tell the Board that your ability to view all of these locations and effectively update them lowers their financial and reputation risks.

How to explain vendor risk management effectiveness

Your security ratings platform enables you to review all of your vendors in the same way that you manage your own security. Often, organizations lack visibility into their supply chain risk. The IBM Cost of a Data Breach Report also noted that breaches caused by third-parties cost $370,000 more than other breaches.

If you’re continuously monitoring your supply stream with a security ratings platform, you can give your Board confidence over technology decisions. In the same way that you use these metrics to prove your own cybersecurity posture, you can prove governance over your vendors. Not only can you show the Board that your supply stream is secure, but you can also give data surrounding your monitoring, including your communications with them and their response times.

How does the organization compare to its peers?

Annually, Boards of Directors review their position within their market. Security ratings platforms enhance their ability to gain insight into how well they compare with their peers which impacts their annual financial planning.

Security ratings platforms collect publicly available information which means that you can use the ratings to share your performance in a business-level language. If your security rating is lower than that of a peer, you can drill down into the risk factors associated with the ratings – both your own and those of your competitors. If one risk factor is causing the difference, then you can more easily report to your Board about how to improve the score and the budget they need to allocate to meet the market-level standard.

On the positive side, if your security ratings are stronger than peers, you can explain to your Board that you manage cybersecurity risks more effectively than your competitors do. Drilling down to the individual factors across your industry allows you to show your team’s expertise and gives the Board confidence in your abilities as a CISO. Additionally, you can use these scores as metrics to prove your ability to maintain effective information security controls as the Board looks toward new business objectives such as cloud migration.

SecurityScorecard enables effective cybersecurity KPIs for the Board

SecurityScorecard provides easy-to-read A-F ratings across ten groups of risk factors including DNS health, IP reputation, web application security, network security, leaked credentials, hacker chatter, endpoint security, and patching cadence. For CISOs trying to provide effective reports to their Boards of Directors, we bridge the gap between technical information and business-level needs.

Instead of giving long explanations with technical details, you can provide at-a-glance visibility into your continuous cybersecurity monitoring. Consistent ratings across all factors and a brief explanation of how those translate to business imperatives, such as financial or reputation risk, can give your Board the information necessary to make strategic decisions.

The platform incorporates portfolio creation so that you can review vendor risk by an individual vendor, cohort, or industry. These capabilities alert you to potential risks so that you can communicate them effectively to your Board, aligning a low-score with a high risk. For example, organizations with a D or F rating are considered five times more likely to experience a data breach. Thus, you can give your Board better risk management data and explanations by incorporating that into your discussions.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube